From a470466d176986f448b8f2169e0ce72299b1217e Mon Sep 17 00:00:00 2001 From: Nicolas Klose Date: Wed, 8 Jan 2025 18:46:06 +0100 Subject: [PATCH] fixed loop stuff --- src/main/scala/biabduction/Abduction.scala | 2 + src/main/scala/biabduction/Abstraction.scala | 68 +- src/main/scala/biabduction/BiAbduction.scala | 41 +- src/main/scala/biabduction/Invariant.scala | 33 +- .../scala/biabduction/VarTransformer.scala | 28 +- .../scala/rules/ExecutionFlowController.scala | 27 +- src/main/scala/rules/Executor.scala | 2 +- .../biabduction/dafny/examples-16.0.0.vpr | 19 + .../biabduction/dafny/examples-16.0.1.vpr | 20 + .../biabduction/dafny/examples-16.1.0.vpr | 25 + .../biabduction/dafny/examples-16.1.1.vpr | 128 + .../biabduction/dafny/examples-16.2.vpr | 184 + .../biabduction/dafny/exercises-16.0.vpr | 139 + .../biabduction/dafny/exercises-16.1.vpr | 275 + .../biabduction/dafny/exercises-16.2.vpr | 36 + .../biabduction/dafny/exercises-16.3.vpr | 16 + .../frontends/chalice/AVLTree.iterative.vpr | 232 + .../chalice/FoldUnfoldExperiments.vpr | 39 + .../frontends/chalice/RingBufferRd.vpr | 137 + .../frontends/chalice/internal-bug-7.vpr | 19 + .../biabduction/frontends/chalice/swap.vpr | 20 + .../biabduction/frontends/chalice/test1.vpr | 45 + .../biabduction/frontends/chalice/test10.vpr | 15 + .../biabduction/frontends/chalice/test2.vpr | 53 + .../biabduction/frontends/chalice/test3.vpr | 22 + .../biabduction/frontends/chalice/test8.vpr | 46 + .../gobra/binary_search_tree.gobra.vpr | 1876 ++++ .../frontends/gobra/binary_tree.gobra.vpr | 733 ++ .../frontends/gobra/initiator_main.go.vpr | 8250 +++++++++++++++++ .../frontends/gobra/responder_main.go.vpr | 7177 ++++++++++++++ .../frontends/gobra/scion_DecodeAddrHdr.vpr | 3749 ++++++++ .../frontends/gobra/scion_DecodeFromBytes.vpr | 4461 +++++++++ .../gobra/scion_SerializeAddrHdr.vpr | 3908 ++++++++ .../frontends/gobra/scion_SerializeTo.vpr | 4287 +++++++++ .../frontends/gobra/scion_packAddr.vpr | 3159 +++++++ .../gobra/scion_pseudoHeaderChecksum.vpr | 3100 +++++++ ...l-rfc-case1.rs_nll_rfc_case1--bar-Both.vpr | 1502 +++ ...ase1.rs_nll_rfc_case1--capitalize-Both.vpr | 1353 +++ ...-rfc-case1.rs_nll_rfc_case1--main-Both.vpr | 305 + ...utes_routes.rs_routes--borrow_nth-Both.vpr | 1001 ++ ...outes_routes.rs_routes--get_nth_x-Both.vpr | 766 ++ ...k_routes_routes.rs_routes--length-Both.vpr | 672 ++ ...ick_routes_routes.rs_routes--main-Both.vpr | 292 + ...tes_routes.rs_routes--shift_nth_x-Both.vpr | 660 ++ ..._routes_routes.rs_routes--shift_x-Both.vpr | 377 + ...t_Heapsort.rs_Heapsort--heap_sort-Both.vpr | 1431 +++ ...apsort_Heapsort.rs_Heapsort--main-Both.vpr | 292 + ...psort_Heapsort.rs_Heapsort--order-Both.vpr | 321 + ..._Heapsort.rs_Heapsort--shift_down-Both.vpr | 1633 ++++ ...rs_Knights_tour--Board--available-Both.vpr | 761 ++ ...Knights_tour--Board--count_degree-Both.vpr | 1092 +++ ..._tour.rs_Knights_tour--Board--new-Both.vpr | 320 + ...our.rs_Knights_tour--Point--clone-Both.vpr | 366 + ..._tour.rs_Knights_tour--Point--mov-Both.vpr | 454 + ...our.rs_Knights_tour--knights_tour-Both.vpr | 3680 ++++++++ ...nights_tour.rs_Knights_tour--main-Both.vpr | 663 ++ ...ights_tour.rs_Knights_tour--valid-Both.vpr | 868 ++ ...e.rs_Knuth_shuffle--knuth_shuffle-Both.vpr | 1065 +++ ...th_shuffle.rs_Knuth_shuffle--main-Both.vpr | 292 + ...th_shuffle.rs_Knuth_shuffle--test-Both.vpr | 745 ++ ...utes_routes.rs_routes--borrow_nth-Both.vpr | 1001 ++ ...outes_routes.rs_routes--get_nth_x-Both.vpr | 766 ++ ...s_routes_routes.rs_routes--length-Both.vpr | 672 ++ ...les_routes_routes.rs_routes--main-Both.vpr | 292 + ...tes_routes.rs_routes--shift_nth_x-Both.vpr | 660 ++ ..._routes_routes.rs_routes--shift_x-Both.vpr | 377 + ...tion_sort.rs_selection_sort--main-Both.vpr | 292 + ...rs_selection_sort--selection_sort-Both.vpr | 2186 +++++ ...-space-as-space-std--ops--Drop-closean.vpr | 912 ++ ...al.rs_first_final--Link--is_empty-Both.vpr | 548 ++ ...t-final.rs_first_final--Link--len-Both.vpr | 630 ++ ...inal.rs_first_final--Link--lookup-Both.vpr | 716 ++ ...t-final.rs_first_final--List--len-Both.vpr | 471 + ...inal.rs_first_final--List--lookup-Both.vpr | 564 ++ ...t-final.rs_first_final--List--new-Both.vpr | 503 + ...t-final.rs_first_final--List--pop-Both.vpr | 948 ++ ...-final.rs_first_final--List--push-Both.vpr | 800 ++ ...rst_final--TrustedOption--is_none-Both.vpr | 464 + ...rst_final--TrustedOption--is_some-Both.vpr | 464 + ..._first_final--TrustedOption--peek-Both.vpr | 489 + ..._first-final.rs_first_final--main-Both.vpr | 292 + ...inal.rs_first_final--test--basics-Both.vpr | 1925 ++++ ...borrow_first.rs_borrow_first--foo-Both.vpr | 798 ++ ...orrow_first.rs_borrow_first--main-Both.vpr | 292 + ...t.rs_borrow_first--some_condition-Both.vpr | 319 + .../strong_spec/correct/BagStack-I.vl.vpr | 3838 ++++++++ .../correct/BoundedCounter-I.vl.vpr | 1211 +++ .../strong_spec/correct/CASCounter-I.vl.vpr | 1536 +++ .../strong_spec/correct/ForkJoin-I.vl.vpr | 964 ++ .../correct/ForkJoinClient-I.vl.vpr | 3123 +++++++ .../strong_spec/correct/IncDec-I.vl.vpr | 2115 +++++ .../strong_spec/correct/SpinLock-I.vl.vpr | 958 ++ .../correct/TicketLock-ISpec.vl.vpr | 2860 ++++++ .../correct/TicketLockClient-I.vl.vpr | 1800 ++++ .../weak_spec/correct/BagStack.vl.vpr | 3406 +++++++ .../weak_spec/correct/BoundedCounter.vl.vpr | 1162 +++ .../weak_spec/correct/CASCounter.vl.vpr | 1073 +++ .../weak_spec/correct/CounterClient.vl.vpr | 5570 +++++++++++ .../weak_spec/correct/ForkJoin.vl.vpr | 831 ++ .../weak_spec/correct/ForkJoinClient.vl.vpr | 2771 ++++++ .../weak_spec/correct/IncDec.vl.vpr | 1797 ++++ .../weak_spec/correct/SpinLock.vl.vpr | 951 ++ .../weak_spec/correct/TicketLock.vl.vpr | 1590 ++++ .../weak_spec/correct/TicketLockClient.vl.vpr | 1615 ++++ .../grasshopper/nested_sl/destroy.vpr | 32 + .../grasshopper/nested_sl/insert.vpr | 101 + .../grasshopper/nested_sl/nested_def.vpr | 12 + .../grasshopper/nested_sl/remove.vpr | 99 + .../grasshopper/nested_sl/traverse.vpr | 46 + .../biabduction/grasshopper/sl/sl.vpr | 6 + .../biabduction/grasshopper/sl/sl_concat.vpr | 32 + .../biabduction/grasshopper/sl/sl_copy.vpr | 34 + .../biabduction/grasshopper/sl/sl_dispose.vpr | 19 + .../grasshopper/sl/sl_double_all.vpr | 29 + .../biabduction/grasshopper/sl/sl_filter.vpr | 46 + .../biabduction/grasshopper/sl/sl_insert.vpr | 43 + .../grasshopper/sl/sl_pairwise_sum.vpr | 77 + .../biabduction/grasshopper/sl/sl_remove.vpr | 41 + .../biabduction/grasshopper/sl/sl_reverse.vpr | 22 + .../grasshopper/sl/sl_set_difference.vpr | 155 + .../grasshopper/sl/sl_set_intersect.vpr | 74 + .../grasshopper/sl/sl_set_union.vpr | 58 + .../grasshopper/sl/sl_sort_insertion.vpr | 34 + .../grasshopper/sl/sl_sort_merge.vpr | 130 + .../grasshopper/sl/sl_sort_quicksort.vpr | 116 + .../grasshopper/sl/sl_sort_strand.vpr | 120 + .../grasshopper/sl/sl_traverse.vpr | 51 + .../grasshopper/tree/list2tree.vpr | 26 + .../grasshopper/tree/skew_heap.spl | 79 + .../grasshopper/tree/skew_heap_no_content.spl | 57 + .../biabduction/grasshopper/tree/tree.vpr | 14 + .../grasshopper/tree/tree2list.vpr | 52 + .../grasshopper/tree/tree_contains.vpr | 43 + .../grasshopper/tree/tree_destroy.vpr | 42 + .../grasshopper/tree/tree_extract_max.vpr | 53 + .../grasshopper/tree/tree_insert.vpr | 57 + .../grasshopper/tree/tree_merge.vpr | 23 + .../grasshopper/tree/tree_remove.vpr | 89 + .../grasshopper/tree/tree_rotate_left.vpr | 17 + .../grasshopper/tree/tree_rotate_right.vpr | 19 + .../grasshopper/tree/tree_singleton.vpr | 13 + .../grasshopper/tree/tree_skew_union.vpr | 60 + .../biabduction/{ => mytests}/nlist/alias.vpr | 0 .../biabduction/{ => mytests}/nlist/apply.vpr | 0 .../{ => mytests}/nlist/branching.vpr | 0 .../biabduction/{ => mytests}/nlist/bug.vpr | 0 .../biabduction/{ => mytests}/nlist/build.vpr | 0 .../biabduction/{ => mytests}/nlist/fold.vpr | 0 .../{ => mytests}/nlist/foldbase.vpr | 0 .../{ => mytests}/nlist/hidden.vpr | 0 .../{ => mytests}/nlist/lookahead.vpr | 0 .../biabduction/{ => mytests}/nlist/loop.vpr | 0 .../{ => mytests}/nlist/methodcall.vpr | 0 .../biabduction/{ => mytests}/nlist/nlist.vpr | 0 .../{ => mytests}/nlist/package.vpr | 0 .../{ => mytests}/nlist/postabstraction.vpr | 0 .../{ => mytests}/nlist/reassign.vpr | 0 .../{ => mytests}/nlist/remove.vpr | 0 .../{ => mytests}/nlist/strict.vpr | 0 .../{ => mytests}/nlist/unfeas.vpr | 0 .../{ => mytests}/nlist/unfold.vpr | 0 .../biabduction/{ => mytests}/nnlist/fold.vpr | 0 .../biabduction/{ => mytests}/nnlist/loop.vpr | 0 .../{ => mytests}/nnlist/nnlist.vpr | 0 .../{ => mytests}/ntree/foldtree.vpr | 0 .../{ => mytests}/ntree/looptree.vpr | 0 .../{ => mytests}/ntree/unfold.vpr | 0 src/test/resources/biabduction/slist.vpr | 34 - .../biabduction/vipertests/basic/assert.vpr | 13 + .../vipertests/basic/disjunction_fast_20.vpr | 215 + .../vipertests/basic/disjunction_slow_20.vpr | 215 + .../biabduction/vipertests/basic/funcpred.vpr | 35 + .../vipertests/functions/linkedlists.vpr | 163 + .../functions/recursive_unrolling.vpr | 51 + .../vipertests/predicates/arguments.vpr | 90 + .../predicates/different_field_types.vpr | 58 + .../vipertests/predicates/non-aliasing.vpr | 37 + .../tree-delete-min/tree_delete_min.vpr | 93 + .../biabduction/vipertests/wands/Assume.vpr | 20 + .../vipertests/wands/IfElsePackage.vpr | 23 + .../vipertests/wands/ListIterator.vpr | 347 + .../vipertests/wands/SnapshotsBranching.vpr | 32 + .../wands/SnapshotsNestedMagicWands.vpr | 59 + .../wands/UnfoldPredicateOnField.vpr | 16 + .../vipertests/wands/VariableAccess.vpr | 25 + .../vipertests/wands/conditionals.vpr | 110 + .../vipertests/wands/eval_states.vpr | 64 + .../biabduction/vipertests/wands/folding.vpr | 107 + .../biabduction/vipertests/wands/issue009.vpr | 26 + .../vipertests/wands/let_wands.vpr | 147 + .../biabduction/vipertests/wands/lhs.vpr | 36 + .../vipertests/wands/list_insert.vpr | 114 + .../vipertests/wands/list_insert_noseq.vpr | 96 + .../biabduction/vipertests/wands/list_sum.vpr | 98 + .../wands/loop_sum_ghostvar_old.vpr | 75 + .../biabduction/vipertests/wands/nesting.vpr | 29 + .../vipertests/wands/tree_delete_min.vpr | 91 + .../vipertests/wands/un_currying.vpr | 62 + 198 files changed, 124339 insertions(+), 97 deletions(-) create mode 100644 src/test/resources/biabduction/dafny/examples-16.0.0.vpr create mode 100644 src/test/resources/biabduction/dafny/examples-16.0.1.vpr create mode 100644 src/test/resources/biabduction/dafny/examples-16.1.0.vpr create mode 100644 src/test/resources/biabduction/dafny/examples-16.1.1.vpr create mode 100644 src/test/resources/biabduction/dafny/examples-16.2.vpr create mode 100644 src/test/resources/biabduction/dafny/exercises-16.0.vpr create mode 100644 src/test/resources/biabduction/dafny/exercises-16.1.vpr create mode 100644 src/test/resources/biabduction/dafny/exercises-16.2.vpr create mode 100644 src/test/resources/biabduction/dafny/exercises-16.3.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/AVLTree.iterative.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/FoldUnfoldExperiments.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/RingBufferRd.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/internal-bug-7.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/swap.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/test1.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/test10.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/test2.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/test3.vpr create mode 100644 src/test/resources/biabduction/frontends/chalice/test8.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/binary_search_tree.gobra.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/binary_tree.gobra.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/initiator_main.go.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/responder_main.go.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/scion_DecodeAddrHdr.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/scion_DecodeFromBytes.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/scion_SerializeAddrHdr.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/scion_SerializeTo.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/scion_packAddr.vpr create mode 100644 src/test/resources/biabduction/frontends/gobra/scion_pseudoHeaderChecksum.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--bar-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--capitalize-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--borrow_nth-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--get_nth_x-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--length-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_nth_x-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_x-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--heap_sort-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--order-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--shift_down-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--available-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--count_degree-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--new-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--clone-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--mov-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--knights_tour-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--valid-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--knuth_shuffle-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--test-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--borrow_nth-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--get_nth_x-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--length-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_nth_x-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_x-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--selection_sort-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final---openang-List-space-as-space-std--ops--Drop-closean.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--is_empty-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--len-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--lookup-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--len-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--lookup-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--new-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--pop-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--push-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_none-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_some-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--peek-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--test--basics-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--foo-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--main-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--some_condition-Both.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BagStack-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BoundedCounter-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/CASCounter-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoin-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoinClient-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/IncDec-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/SpinLock-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLock-ISpec.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLockClient-I.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BagStack.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BoundedCounter.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CASCounter.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CounterClient.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoin.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoinClient.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/IncDec.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/SpinLock.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLock.vl.vpr create mode 100644 src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLockClient.vl.vpr create mode 100644 src/test/resources/biabduction/grasshopper/nested_sl/destroy.vpr create mode 100644 src/test/resources/biabduction/grasshopper/nested_sl/insert.vpr create mode 100644 src/test/resources/biabduction/grasshopper/nested_sl/nested_def.vpr create mode 100644 src/test/resources/biabduction/grasshopper/nested_sl/remove.vpr create mode 100644 src/test/resources/biabduction/grasshopper/nested_sl/traverse.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_concat.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_copy.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_dispose.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_double_all.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_filter.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_insert.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_pairwise_sum.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_remove.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_reverse.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_set_difference.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_set_intersect.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_set_union.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_sort_insertion.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_sort_merge.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_sort_quicksort.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_sort_strand.vpr create mode 100644 src/test/resources/biabduction/grasshopper/sl/sl_traverse.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/list2tree.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/skew_heap.spl create mode 100644 src/test/resources/biabduction/grasshopper/tree/skew_heap_no_content.spl create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree2list.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_contains.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_destroy.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_extract_max.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_insert.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_merge.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_remove.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_rotate_left.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_rotate_right.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_singleton.vpr create mode 100644 src/test/resources/biabduction/grasshopper/tree/tree_skew_union.vpr rename src/test/resources/biabduction/{ => mytests}/nlist/alias.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/apply.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/branching.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/bug.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/build.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/fold.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/foldbase.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/hidden.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/lookahead.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/loop.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/methodcall.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/nlist.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/package.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/postabstraction.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/reassign.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/remove.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/strict.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/unfeas.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nlist/unfold.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nnlist/fold.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nnlist/loop.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/nnlist/nnlist.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/ntree/foldtree.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/ntree/looptree.vpr (100%) rename src/test/resources/biabduction/{ => mytests}/ntree/unfold.vpr (100%) delete mode 100644 src/test/resources/biabduction/slist.vpr create mode 100644 src/test/resources/biabduction/vipertests/basic/assert.vpr create mode 100644 src/test/resources/biabduction/vipertests/basic/disjunction_fast_20.vpr create mode 100644 src/test/resources/biabduction/vipertests/basic/disjunction_slow_20.vpr create mode 100644 src/test/resources/biabduction/vipertests/basic/funcpred.vpr create mode 100644 src/test/resources/biabduction/vipertests/functions/linkedlists.vpr create mode 100644 src/test/resources/biabduction/vipertests/functions/recursive_unrolling.vpr create mode 100644 src/test/resources/biabduction/vipertests/predicates/arguments.vpr create mode 100644 src/test/resources/biabduction/vipertests/predicates/different_field_types.vpr create mode 100644 src/test/resources/biabduction/vipertests/predicates/non-aliasing.vpr create mode 100644 src/test/resources/biabduction/vipertests/tree-delete-min/tree_delete_min.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/Assume.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/IfElsePackage.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/ListIterator.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/SnapshotsBranching.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/SnapshotsNestedMagicWands.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/UnfoldPredicateOnField.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/VariableAccess.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/conditionals.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/eval_states.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/folding.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/issue009.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/let_wands.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/lhs.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/list_insert.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/list_insert_noseq.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/list_sum.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/loop_sum_ghostvar_old.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/nesting.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/tree_delete_min.vpr create mode 100644 src/test/resources/biabduction/vipertests/wands/un_currying.vpr diff --git a/src/main/scala/biabduction/Abduction.scala b/src/main/scala/biabduction/Abduction.scala index 3d13466f..aa8aae50 100644 --- a/src/main/scala/biabduction/Abduction.scala +++ b/src/main/scala/biabduction/Abduction.scala @@ -215,6 +215,7 @@ object AbductionFold extends AbductionRule { // TODO nklose if the predicate is conditional in a weird way, then this might be wrong? case Some((field, chunk)) => val wildcards = q.s.constrainableARPs -- q.s.constrainableARPs + val fargs = pred.formalArgs.map(_.localVar) val eArgs = a.loc.args val formalsToActuals: Map[ast.LocalVar, ast.Exp] = fargs.zip(eArgs).to(Map) @@ -371,6 +372,7 @@ object AbductionApply extends AbductionRule { } } +// TODO nklose this should actually do a package after simulating it. Then we do not have issues with the correct state at the end object AbductionPackage extends AbductionRule { override def apply(q: AbductionQuestion)(Q: Option[AbductionQuestion] => VerificationResult): VerificationResult = { diff --git a/src/main/scala/biabduction/Abstraction.scala b/src/main/scala/biabduction/Abstraction.scala index 1956b144..1eef2f2c 100644 --- a/src/main/scala/biabduction/Abstraction.scala +++ b/src/main/scala/biabduction/Abstraction.scala @@ -1,6 +1,6 @@ package viper.silicon.biabduction -import viper.silicon.interfaces.VerificationResult +import viper.silicon.interfaces.{Success, VerificationResult} import viper.silicon.interfaces.state.Chunk import viper.silicon.resources._ import viper.silicon.rules._ @@ -41,12 +41,34 @@ object AbstractionFold extends AbstractionRule { val wildcards = q.s.constrainableARPs -- q.s.constrainableARPs executionFlowController.tryOrElse0(q.s, q.v) { (s1, v1, T) => + + val fargs = pred.formalArgs.map(_.localVar) + val eArgs = q.varTran.transformTerm(chunk.args.head) + val formalsToActuals: Map[LocalVar, Exp] = fargs.zip(eArgs).to(Map) + val reasonTransformer = (n: viper.silver.verifier.errors.ErrorNode) => n.replace(formalsToActuals) + val pveTransformed = pve.withReasonNodeTransformed(reasonTransformer) + // TODO nklose this can branch - predicateSupporter.fold(s1, pred, List(chunk.args.head), None, terms.FullPerm, Some(FullPerm()()), wildcards, pve, v1)(T) - } { - (s2, v2) => Q(Some(q.copy(s = s2, v = v2))) + predicateSupporter.fold(s1, pred, List(chunk.args.head), None, terms.FullPerm, Some(FullPerm()()), wildcards, pveTransformed, v1)(T) + } { + (s2, v2) => Q(Some(q.copy(s = s2, v = v2))) } { - _ => checkChunks(rest, q)(Q) + f => + executionFlowController.tryOrElse0(q.s, q.v) { + (s3, v3, T) => + BiAbductionSolver.solveAbduction(s3, v3, f, None) { (s4, res, v4) => + res.state match { + case Seq() => T(s4, v4) + case _ => f + } + } + } { + (s5, v5) => + Q(Some(q.copy(s = s5, v = v5))) + } { + f => + checkChunks(rest, q)(Q) + } } } } @@ -60,6 +82,7 @@ object AbstractionFold extends AbstractionRule { object AbstractionPackage extends AbstractionRule { + // TODO nklose we should only trigger on fields for which there is a recursive predicate call @tailrec private def findWandFieldChunk(chunks: Seq[Chunk], q: AbstractionQuestion): Option[(Exp, BasicChunk)] = { chunks match { @@ -76,16 +99,17 @@ object AbstractionPackage extends AbstractionRule { override def apply(q: AbstractionQuestion)(Q: Option[AbstractionQuestion] => VerificationResult): VerificationResult = { findWandFieldChunk(q.s.h.values.toSeq, q) match { - case None => Q(None) - case Some((lhsArg, chunk)) => - val pred = q.fields(abductionUtils.getField(chunk.id, q.s.program)) - val lhs = PredicateAccessPredicate(PredicateAccess(Seq(lhsArg), pred)(NoPosition, NoInfo, NoTrafos), FullPerm()())() - val rhsArg = q.varTran.transformTerm(chunk.args.head).get - val rhs = PredicateAccessPredicate(PredicateAccess(Seq(rhsArg), pred)(NoPosition, NoInfo, NoTrafos), FullPerm()())() - val wand = MagicWand(lhs, rhs)() - executor.exec(q.s, Assert(wand)(), q.v) { - (s1, sv) => - Q(Some(q.copy(s = s1, v = sv)))} + case None => Q(None) + case Some((lhsArg, chunk)) => + val pred = q.fields(abductionUtils.getField(chunk.id, q.s.program)) + val lhs = PredicateAccessPredicate(PredicateAccess(Seq(lhsArg), pred)(NoPosition, NoInfo, NoTrafos), FullPerm()())() + val rhsArg = q.varTran.transformTerm(chunk.args.head).get + val rhs = PredicateAccessPredicate(PredicateAccess(Seq(rhsArg), pred)(NoPosition, NoInfo, NoTrafos), FullPerm()())() + val wand = MagicWand(lhs, rhs)() + executor.exec(q.s, Assert(wand)(), q.v) { + (s1, v1) => + Q(Some(q.copy(s = s1, v = v1))) + } } } } @@ -93,7 +117,7 @@ object AbstractionPackage extends AbstractionRule { object AbstractionJoin extends AbstractionRule { override def apply(q: AbstractionQuestion)(Q: Option[AbstractionQuestion] => VerificationResult): VerificationResult = { - val wands = q.s.h.values.collect { case wand: MagicWandChunk => q.varTran.transformChunk(wand) }.collect{case Some(wand: MagicWand) => wand}.toSeq + val wands = q.s.h.values.collect { case wand: MagicWandChunk => q.varTran.transformChunk(wand) }.collect { case Some(wand: MagicWand) => wand }.toSeq val pairs = wands.combinations(2).toSeq pairs.collectFirst { case wands if wands(0).right == wands(1).left => (wands(0), wands(1)) @@ -102,7 +126,8 @@ object AbstractionJoin extends AbstractionRule { case None => Q(None) case (Some((w1, w2))) => magicWandSupporter.packageWand(q.s, MagicWand(w1.left, w2.right)(), Seqn(Seq(Apply(w1)(), Apply(w2)()), Seq())(), pve, q.v) { - (s1, wandChunk, v1) => Q(Some(q.copy(s = s1.copy(h = s1.h.+(wandChunk)), v = v1))) + (s1, wandChunk, v1) => + Q(Some(q.copy(s = s1.copy(h = s1.reserveHeaps.head.+(wandChunk)), v = v1))) } } } @@ -111,14 +136,15 @@ object AbstractionJoin extends AbstractionRule { object AbstractionApply extends AbstractionRule { override def apply(q: AbstractionQuestion)(Q: Option[AbstractionQuestion] => VerificationResult): VerificationResult = { - val wands = q.s.h.values.collect { case wand: MagicWandChunk => q.varTran.transformChunk(wand) }.collect {case Some(wand: MagicWand) => wand} - val targets = q.s.h.values.collect { case c: BasicChunk if !q.fixedChunks.contains(c) => q.varTran.transformChunk(c) }.collect {case Some(exp) => exp}.toSeq + val wands = q.s.h.values.collect { case wand: MagicWandChunk => q.varTran.transformChunk(wand) }.collect { case Some(wand: MagicWand) => wand } + val targets = q.s.h.values.collect { case c: BasicChunk if !q.fixedChunks.contains(c) => q.varTran.transformChunk(c) }.collect { case Some(exp) => exp }.toSeq - wands.collectFirst{case wand if targets.contains(wand.left) => wand } match { + wands.collectFirst { case wand if targets.contains(wand.left) => wand } match { case None => Q(None) case Some(wand) => magicWandSupporter.applyWand(q.s, wand, pve, q.v) { - (s1, v1) => Q(Some(q.copy(s = s1, v = v1))) + (s1, v1) => + Q(Some(q.copy(s = s1, v = v1))) } } } diff --git a/src/main/scala/biabduction/BiAbduction.scala b/src/main/scala/biabduction/BiAbduction.scala index 1fb10c6d..f2164402 100644 --- a/src/main/scala/biabduction/BiAbduction.scala +++ b/src/main/scala/biabduction/BiAbduction.scala @@ -6,7 +6,7 @@ import viper.silicon.interfaces.state.{Chunk, NonQuantifiedChunk} import viper.silicon.rules.consumer.consumes import viper.silicon.rules.{executionFlowController, executor, producer} import viper.silicon.state._ -import viper.silicon.state.terms.Term +import viper.silicon.state.terms.{Term, True} import viper.silicon.utils.ast.BigAnd import viper.silicon.utils.freshSnap import viper.silicon.verifier.Verifier @@ -79,10 +79,11 @@ case class AbductionSuccess(s: State, v: Verifier, pcs: PathConditionStack, stat def getStatements(bcExps: Seq[Option[Exp]]): Option[Seq[Stmt]] = { if (stmts.isEmpty) { Some(Seq()) - } else if (bcExps.contains(None)) { - None + // TODO nklose we are over approximating here, this is probably wrong in general but good in practise + //} else if (bcExps.contains(None)) { + // None } else { - val con = BigAnd(bcExps.map { case Some(e) => e }) + val con = BigAnd(bcExps.collect { case Some(e) => e }) con match { case _: TrueLit => Some(stmts) case _ => Some(Seq(If(con, Seqn(stmts, Seq())(), Seqn(Seq(), Seq())())())) @@ -153,21 +154,27 @@ case class LoopInvariantSuccess(s: State, v: Verifier, invs: Seq[Exp] = Seq(), l case class FramingSuccess(s: State, v: Verifier, posts: Seq[Exp], stmts: Seq[Stmt], loc: Positioned, pcs: PathConditionStack, varTran: VarTransformer) extends BiAbductionSuccess { override def toString: String = "Successful framing" - def getBcExps(bcsTerms: Seq[Term]): Option[Exp] = { - val varTrans = VarTransformer(s, v, s.g.values, s.h) + def getBcExps(bcsTerms: Seq[Term], targetVars: Map[AbstractLocalVar, (Term, Option[Exp])]): Option[Exp] = { + val varTrans = VarTransformer(s, v, targetVars, s.h) val bcExps = bcsTerms.map { t => varTrans.transformTerm(t) } + + // TODO this is possibly unsound but better in practise + Some(BigAnd(bcExps.collect { case Some(e) => e })) + /* if (bcExps.contains(None)) { None } else { Some(BigAnd(bcExps.map { case Some(e) => e })) - } + }*/ } def addToMethod(m: Method, bcs: Seq[Term]): Option[Method] = { val prevPcs = v.decider.pcs v.decider.setPcs(pcs) - val bcExpsOpt = getBcExps(bcs) + val formals = m.formalArgs.map(_.localVar) ++ m.formalReturns.map(_.localVar) + val vars = s.g.values.collect { case (var2, t) if formals.contains(var2) => (var2, t) } + val bcExpsOpt = getBcExps(bcs, vars) v.decider.setPcs(prevPcs) bcExpsOpt.flatMap { bcExps => @@ -307,8 +314,7 @@ object BiAbductionSolver { def solveAbstraction(s: State, v: Verifier, fixedChunks: Seq[Chunk] = Seq())(Q: (State, Seq[Exp], Verifier) => VerificationResult): VerificationResult = { val q = AbstractionQuestion(s, v, fixedChunks) AbstractionApplier.applyRules(q) { q1 => - val tra = VarTransformer(q1.s, q1.v, q1.s.g.values, q1.s.h) - val res = q1.s.h.values.collect { case c: NonQuantifiedChunk => tra.transformChunk(c) }.collect { case Some(e) => e }.toSeq + val res = VarTransformer(q1.s, q1.v, q1.s.g.values, q1.s.h).transformState(q1.s) Q(q1.s, res, q1.v) } } @@ -358,7 +364,7 @@ object BiAbductionSolver { val abdReses = abductionUtils.getAbductionSuccesses(nf) val abdCases = abdReses.groupBy(res => (res.trigger, res.stmts, res.state)).flatMap { case (_, reses) => - val unjoined = reses.map(res => (Seq(res), res.pcs.branchConditions)) + val unjoined = reses.map(res => (Seq(res), res.pcs.branchConditions.distinct.filter(_ != True))) val joined = abductionUtils.joinBcs(unjoined) joined.map { case (reses, pcs) => @@ -373,21 +379,27 @@ object BiAbductionSolver { val frames = abductionUtils.getFramingSuccesses(nf) val frameCases = frames.groupBy(f => (f.posts, f.stmts)).flatMap { case (_, frs) => - val unjoined = frs.map(fr => (Seq(fr), fr.pcs.branchConditions)) + val unjoined = frs.map(fr => (Seq(fr), fr.pcs.branchConditions.distinct.filter(_ != True))) val joined = abductionUtils.joinBcs(unjoined) joined.map { case (frs, pcs) => frs.head -> pcs } } - frameCases.foldLeft[Option[Method]](Some(m))((m1, res) => m1.flatMap { mm => res._1.addToMethod(mm, res._2) }) + + // We get a framing result for every branch that reaches the end. So we can remove bcs that hold in every case, as they + // are guaranteed to hold. + val allTerms = frameCases.values + val alwaysTerms = allTerms.head.filter {t => allTerms.forall(_.contains(t))} + + frameCases.foldLeft[Option[Method]](Some(m))((m1, res) => m1.flatMap { mm => res._1.addToMethod(mm, res._2.diff(alwaysTerms)) }) } def resolveLoopInvResults(m: Method, nf: NonFatalResult): Option[Method] = { val invs = abductionUtils.getInvariantSuccesses(nf) val invCases = invs.groupBy(inv => (inv.loop, inv.invs)).flatMap { case (_, invs) => - val unjoined = invs.map(inv => (Seq(inv), inv.pcs.branchConditions)) + val unjoined = invs.map(inv => (Seq(inv), inv.pcs.branchConditions.distinct.filter(_ != True))) val joined = abductionUtils.joinBcs(unjoined) joined.map { case (invs, pcs) => @@ -508,4 +520,5 @@ object abductionUtils { case _ => None } } + } diff --git a/src/main/scala/biabduction/Invariant.scala b/src/main/scala/biabduction/Invariant.scala index 27ce6042..03ed96e8 100644 --- a/src/main/scala/biabduction/Invariant.scala +++ b/src/main/scala/biabduction/Invariant.scala @@ -50,13 +50,19 @@ object LoopInvariantSolver { case f: Failure => f case abdRes: NonFatalResult => // TODO nklose we do not guarantee length 1 here anymore - val abd = abductionUtils.getAbductionSuccesses(abdRes).head + abductionUtils.getAbductionSuccesses(abdRes) match { + case Seq(AbductionSuccess(s5, v5, _, Seq(), _, _)) => + val unfolded = VarTransformer(s5, v5, s5.g.values, s5.h).transformState(s5) + Q(unfolded) + } + /* val unfolds = abd.stmts.collect { case Unfold(pa) => (pa.toString -> pa.loc.predicateBody(s.program, Set()).get) }.toMap val unfolded = inverted.map { case inv: PredicateAccessPredicate => unfolds.getOrElse(inv.toString, inv) case inv => inv } Q1(unfolded) + */ } } } @@ -100,13 +106,9 @@ object LoopInvariantSolver { loopConBcs: Seq[Term] = Seq(), iteration: Int = 1): VerificationResult = { - // Produce the already known invariants. They are consumed at the end of the loop body, so we need to do this every iteration produces(s, freshSnap, loopHead.invs, ContractNotWellformed, v) { (sPreInv, vPreInv) => - //var loopCondTerm: Option[Term] = None - //val oldPcs = vPreInv.decider.pcs.branchConditions - // Run the loop the first time to check whether we abduce any new state executionFlowController.locally(sPreInv, vPreInv) { (sFP, vFP) => @@ -125,27 +127,15 @@ object LoopInvariantSolver { // We assume there is only one loop internal edge val loopConExp = loopEdges.head.asInstanceOf[ConditionalEdge[Stmt, Exp]].condition - //evaluator.eval(sPreInv0, loopConExp, pve, vPreInv0) { (sPreInv, loopConTerm, _, vPreInv) => - - //val newLoopCons = loopConBcs :+ loopCondTerm.get - val abdReses = abductionUtils.getAbductionSuccesses(nonf) val preStateVars = sPreInv.g.values.filter { case (v, _) => origVars.contains(v) } val newStateOpt = abdReses.flatMap { case abd => abd.getPreconditions(preStateVars, sPreInv.h, Seq()).get } - //val newStateHeadOpt = abdReses.collect { case abd if abd.trigger.contains(loopConExp) => abd.toPrecondition(preStateVars, sPreInv.h) } - //if (newStateOpt.contains(None)) { - // return Failure(pve dueTo DummyReason) - //} - // We still need to remove the current loop condition val newState = newStateOpt.map(_.transform { case im: Implies if im.left == loopConExp => im.right }) - //val newStateHead = newStateHeadOpt.flatMap(_.get) - //val abductionResults = newStateHead ++ newStateBody - // Do the second pass so that we can compare the state at the end of the loop with the state at the beginning // Get the state at the beginning of the loop with the abduced things added producer.produces(sPreInv, freshSnap, newState, pveLam, vPreInv) { (sPreAbd0, vPreAbd0) => @@ -158,7 +148,6 @@ object LoopInvariantSolver { }, sPreAbd, vPreAbd) { chunks => val allChunks = chunks.keys - //val fixedChunks = chunks.collect({ case (c, loc) if newStateHead.contains(loc) => c }).toSeq val newPreState0 = sPreAbd.copy(h = q.preHeap.+(Heap(allChunks))) BiAbductionSolver.solveAbstraction(newPreState0, vPreAbd) { @@ -166,6 +155,8 @@ object LoopInvariantSolver { val preTran = VarTransformer(newPreState, newPreV, preStateVars, newPreState.h) val newPreAbstraction = newPreAbstraction0.map(e => preTran.transformExp(e, strict = false).get) + + executor.follows(sPreAbd, loopEdges, pveLam, vPreAbd, joinPoint)((sPost, vPost) => { @@ -174,6 +165,11 @@ object LoopInvariantSolver { val postStateVars = sPostAbs.g.values.filter { case (v, _) => origVars.contains(v) } val postTran = VarTransformer(sPostAbs, vPostAbs, postStateVars, sPostAbs.h) val postAbstraction = postAbstraction0.map(e => postTran.transformExp(e, strict = false).get) + + println("\nIteration: " + iteration) + println("New state:\n " + newState.mkString("\n ")) + println("New pre abstraction:\n " + newPreAbstraction.mkString("\n ")) + println("New post abstraction:\n " + postAbstraction.mkString("\n ")) // If the pushed forward abstraction is the same as the previous one, we are done if (newPreAbstraction == q.preAbstraction && postAbstraction == q.postAbstraction) { @@ -198,7 +194,6 @@ object LoopInvariantSolver { } } } - //} } } } diff --git a/src/main/scala/biabduction/VarTransformer.scala b/src/main/scala/biabduction/VarTransformer.scala index ba90fd20..14ad5fd7 100644 --- a/src/main/scala/biabduction/VarTransformer.scala +++ b/src/main/scala/biabduction/VarTransformer.scala @@ -9,6 +9,8 @@ import viper.silicon.verifier.Verifier import viper.silver.ast import viper.silver.ast._ +import scala.annotation.tailrec + case class VarTransformer(s: State, v: Verifier, targetVars: Map[AbstractLocalVar, (Term, Option[ast.Exp])], targetHeap: Heap) { //val pve: PartialVerificationError = Internal() @@ -31,11 +33,14 @@ case class VarTransformer(s: State, v: Verifier, targetVars: Map[AbstractLocalVa t -> directTargets.collectFirst { case ((t1, _), e) if t.sort == t1.sort && v.decider.check(BuiltinEquals(t, t1), Verifier.config.checkTimeout()) => e } }.collect { case (t2, Some(e)) => t2 -> e }.toMap - resolveChunks(directAliases, targetHeap.values.collect { case c: BasicChunk + val chunksToResolve = targetHeap.values.collect { case c: BasicChunk if c.resourceID == FieldID && !(directAliases.contains(c.args.head) && directAliases.contains(c.snap)) => c - }.toSeq, allTerms.filter(!directAliases.contains(_))) + }.toSeq + + resolveChunks(directAliases, chunksToResolve, allTerms.filter(!directAliases.contains(_))) } + @tailrec private def resolveChunks(currentMatches: Map[Term, Exp], remainingChunks: Seq[BasicChunk], remainingTerms: Seq[Term]): Map[Term, Exp] = { remainingChunks.collectFirst { case c if currentMatches.contains(c.args.head) => c } match { case None => currentMatches @@ -51,7 +56,7 @@ case class VarTransformer(s: State, v: Verifier, targetVars: Map[AbstractLocalVa t match { case t if matches.contains(t) => matches.get(t) case BuiltinEquals(t1, t2) => (transformTerm(t1), transformTerm(t2)) match { - case (Some(e1), Some(e2)) => + case (Some(e1), Some(e2)) => Some(EqCmp(e1, e2)()) case _ => None } @@ -59,14 +64,27 @@ case class VarTransformer(s: State, v: Verifier, targetVars: Map[AbstractLocalVa case terms.FullPerm => Some(FullPerm()()) case terms.Null => Some(NullLit()()) case terms.Not(BuiltinEquals(t1, t2)) => (transformTerm(t1), transformTerm(t2)) match { - case (Some(e1), Some(e2)) => + case (Some(e1), Some(e2)) => Some(NeCmp(e1, e2)()) case _ => None } + case terms.True => Some(TrueLit()()) case _ => None } } + def transformState(s: State): Seq[Exp] = { + + val transformed = s.h.values.collect { case c: NonQuantifiedChunk => transformChunk(c) }.collect { case Some(e) => e }.toSeq + transformed.filter { + case _: FieldAccessPredicate => true + case _ => false + } ++ transformed.filter { + case _: FieldAccessPredicate => false + case _ => true + } + } + def transformChunk(b: NonQuantifiedChunk): Option[Exp] = { b match { @@ -82,7 +100,7 @@ case class VarTransformer(s: State, v: Verifier, targetVars: Map[AbstractLocalVa val rcvs = mwc.args.map(a => a -> transformTerm(a)).toMap if (rcvs.values.toSeq.contains(None)) None else { val shape = mwc.id.ghostFreeWand - val expBindings = mwc.bindings.collect { case (lv, (term, _)) if rcvs.contains(term) => lv -> rcvs(term).get} + val expBindings = mwc.bindings.collect { case (lv, (term, _)) if rcvs.contains(term) => lv -> rcvs(term).get } val instantiated = shape.replace(expBindings) Some(instantiated) //Some(abductionUtils.getPredicate(s.program, rcv.get, transformTerm(b.perm).get)) diff --git a/src/main/scala/rules/ExecutionFlowController.scala b/src/main/scala/rules/ExecutionFlowController.scala index f8c45960..49ff3606 100644 --- a/src/main/scala/rules/ExecutionFlowController.scala +++ b/src/main/scala/rules/ExecutionFlowController.scala @@ -8,6 +8,7 @@ package viper.silicon.rules import viper.silver.ast import viper.silicon.Config.ExhaleMode +import viper.silicon.decider.PathConditionStack import viper.silicon.interfaces._ import viper.silicon.logger.records.data.CommentRecord import viper.silicon.state.State @@ -197,9 +198,29 @@ object executionFlowController extends ExecutionFlowRules { private def tryOrElseWithResult[R](s: State, v: Verifier) - (action: (State, Verifier, (State, R, Verifier) => VerificationResult) => VerificationResult) - (Q: (State, R, Verifier) => VerificationResult) - (F: Failure => VerificationResult) : VerificationResult = { + (action: (State, Verifier, (State, R, Verifier) => VerificationResult) => VerificationResult) + (Q: (State, R, Verifier) => VerificationResult) + (F: Failure => VerificationResult): VerificationResult = { + + + /* + val initPcs = v.decider.pcs.duplicate() + var optRes: Option[(State, R, Verifier, PathConditionStack)] = None + action(s, v, { (s2, r, v2) => + optRes = Some((s2, r, v2, v2.decider.pcs.duplicate())) + Success() + }) match { + case _: NonFatalResult => + optRes match { + case Some((s3, r1, v3, pcs)) => + v3.decider.setPcs(pcs) + Q(s3, r1, v3) + } + case f: Failure => + v.decider.setPcs(initPcs) + F(f) + }*/ + // This is not as efficient as it maybe could be, we call action twice. // To speed it up we would have to save the s2, v2, r that we currently ignore in the fake diff --git a/src/main/scala/rules/Executor.scala b/src/main/scala/rules/Executor.scala index 9fd1b635..d0a6f9c2 100644 --- a/src/main/scala/rules/Executor.scala +++ b/src/main/scala/rules/Executor.scala @@ -368,7 +368,7 @@ object executor extends ExecutionRules { (s1, v1, QS) => consumes(s1, invs, LoopInvariantNotPreserved, v1)(QS) } { - (s1, _, v1) => Q(s1, v1) + (s2, _, v2) => Q(s2, v2) } { f => // There are cases where it is incorrect to abduce state here, but only some cases and it is hard to distinguish them diff --git a/src/test/resources/biabduction/dafny/examples-16.0.0.vpr b/src/test/resources/biabduction/dafny/examples-16.0.0.vpr new file mode 100644 index 00000000..ff0314d2 --- /dev/null +++ b/src/test/resources/biabduction/dafny/examples-16.0.0.vpr @@ -0,0 +1,19 @@ + +field checksumData: Int + +predicate ChecksumMachine(this: Ref) +{ + acc(this.checksumData) && 0 <= this.checksumData +} + + +method ChecksumMachineConstructor() returns (this: Ref) + ensures ChecksumMachine(this) + //ensures unfolding ChecksumMachine(this) in this.checksumData == 0 +{ + this := new(checksumData) + this.checksumData := 0 + fold ChecksumMachine(this) +} + + diff --git a/src/test/resources/biabduction/dafny/examples-16.0.1.vpr b/src/test/resources/biabduction/dafny/examples-16.0.1.vpr new file mode 100644 index 00000000..6c2c6015 --- /dev/null +++ b/src/test/resources/biabduction/dafny/examples-16.0.1.vpr @@ -0,0 +1,20 @@ + +field checksumData: Int + +predicate ChecksumMachine(this: Ref) +{ + acc(this.checksumData) && 0 <= this.checksumData +} + +method Append(this: Ref, d: Int) + requires ChecksumMachine(this) + requires 0 <= d + ensures ChecksumMachine(this) + //ensures getChecksumData(this) == old(getChecksumData(this)) + d +{ + unfold ChecksumMachine(this) + this.checksumData := this.checksumData + d + fold ChecksumMachine(this) +} + + diff --git a/src/test/resources/biabduction/dafny/examples-16.1.0.vpr b/src/test/resources/biabduction/dafny/examples-16.1.0.vpr new file mode 100644 index 00000000..daf49ebc --- /dev/null +++ b/src/test/resources/biabduction/dafny/examples-16.1.0.vpr @@ -0,0 +1,25 @@ +field source: Seq[Int] +field n: Int + +predicate Tokenizer(this: Ref) +{ + acc(this.source) && + acc(this.n) && 0 <= this.n <= |this.source| && + forall i: Int :: 0 <= i < |this.source| ==> 0 <= this.source[i] <= 127 +} + + +method TokenizerConstructor(s: Seq[Int]) returns (this: Ref) + requires forall i: Int :: 0 <= i < |s| ==> 0 <= s[i] <= 127 + ensures Tokenizer(this) + //ensures getSource(this) == s && getN(this) == 0 +{ + this := new(source, n) + this.source := s + this.n := 0 + fold Tokenizer(this) +} + + + + \ No newline at end of file diff --git a/src/test/resources/biabduction/dafny/examples-16.1.1.vpr b/src/test/resources/biabduction/dafny/examples-16.1.1.vpr new file mode 100644 index 00000000..ad1b669d --- /dev/null +++ b/src/test/resources/biabduction/dafny/examples-16.1.1.vpr @@ -0,0 +1,128 @@ +adt Category { + Identifier() + Number() + Operator() + Whitespace() + Error() + End() +} + +function Is(ch: Int, cat: Category): Bool + requires !cat.isEnd + requires 0 <= ch <= 127 +{ + (cat.isWhitespace) ? ch == 32 || ch == 9 || ch == 13 || ch == 10 : // " \t\r\n" + (cat.isIdentifier) ? 65 <= ch <= 90 || 97 <= ch <= 122 : // 'A' <= ch <= 'Z' || 'a' <= ch <= 'z' + (cat.isNumber) ? 48 <= ch <= 57 : // '0' <= ch <= '9' + (cat.isOperator) ? ch == 43 || ch == 45 || ch == 42 || ch == 47 || ch == 37 || ch == 33 || + ch == 61 || ch == 62 || ch == 60 || ch == 126 || ch == 94 || ch == 38 || + ch == 124 : // "+-*/%!=><=~^&|" + !Is(ch, Identifier()) && !Is(ch, Number()) && !Is(ch, Operator()) && + !Is(ch, Whitespace()) // error case +} + +field source: Seq[Int] +field n: Int + +predicate Tokenizer(this: Ref) +{ + acc(this.source) && + acc(this.n) && 0 <= this.n <= |this.source| && + forall i: Int :: 0 <= i < |this.source| ==> 0 <= this.source[i] <= 127 +} + + +function getSource(this: Ref): Seq[Int] + requires Tokenizer(this) + ensures forall i: Int :: 0 <= i < |result| ==> 0 <= result[i] <= 127 +{ + unfolding Tokenizer(this) in + this.source +} + +function getN(this: Ref): Int + requires Tokenizer(this) + ensures 0 <= result <= |getSource(this)| +{ + unfolding Tokenizer(this) in + this.n +} + +method Read(this: Ref) returns (cat: Category, p: Int, token: Seq[Int]) + requires Tokenizer(this) + ensures 0 <= p + ensures Tokenizer(this) + ensures getSource(this) == old(getSource(this)) + ensures !cat.isWhitespace + ensures old(getN(this)) <= p <= getN(this) <= |getSource(this)| + ensures cat.isEnd <==> p == |getSource(this)| + ensures cat.isEnd || cat.isError <==> p == getN(this) + ensures forall i: Int :: old(getN(this)) <= i < p ==> + Is(getSource(this)[i], Whitespace()) + ensures forall i: Int :: p <= i < getN(this) ==> Is(getSource(this)[i], cat) + ensures p < getN(this) ==> getN(this) == |getSource(this)| || !Is(getSource(this)[getN(this)], cat) + ensures !cat.isError ==> token == getSource(this)[p..getN(this)] +{ + // skip whitespace + while (getN(this) != |getSource(this)| && Is(getSource(this)[getN(this)], Whitespace())) + invariant Tokenizer(this) + invariant getSource(this) == old(getSource(this)) + invariant old(getN(this)) <= getN(this) <= |getSource(this)| + invariant forall i: Int :: old(getN(this)) <= i < getN(this) ==> Is(getSource(this)[i], Whitespace()) + { + unfold Tokenizer(this) + this.n := this.n + 1 + fold Tokenizer(this) + } + p := getN(this) + // determine syntactic category + var return: Bool := false + if (getN(this) == |getSource(this)|) + { + cat := End() + token := Seq() + return := true + } + elseif (Is(getSource(this)[getN(this)], Identifier())) + { + cat := Identifier() + } + elseif (Is(getSource(this)[getN(this)], Number())) + { + cat := Number() + } + elseif (Is(getSource(this)[getN(this)], Operator())) + { + cat := Operator() + } + else + { + cat := Error() + token := Seq() + return := true + } + // read token + if (!return) + { + var start: Int := getN(this) + unfold Tokenizer(this) + this.n := this.n + 1 + fold Tokenizer(this) + while (getN(this) != |getSource(this)| && Is(getSource(this)[getN(this)], cat)) + invariant Tokenizer(this) + invariant getSource(this) == old(getSource(this)) + invariant p <= getN(this) <= |getSource(this)| + invariant forall i: Int :: p <= i < getN(this) ==> Is(getSource(this)[i], cat) + { + unfold Tokenizer(this) + this.n := this.n + 1 + fold Tokenizer(this) + } + token := getSource(this)[start..getN(this)] + } +} + + + + + \ No newline at end of file diff --git a/src/test/resources/biabduction/dafny/examples-16.2.vpr b/src/test/resources/biabduction/dafny/examples-16.2.vpr new file mode 100644 index 00000000..a62b3812 --- /dev/null +++ b/src/test/resources/biabduction/dafny/examples-16.2.vpr @@ -0,0 +1,184 @@ + +field hasBeans: Bool + +predicate Grinder(this: Ref) +{ + acc(this.hasBeans) +} + +function getHasBeans(this: Ref): Bool + requires Grinder(this) +{ + unfolding Grinder(this) in + this.hasBeans +} + +method GrinderConstructor() returns (this: Ref) + ensures Grinder(this) + ensures !getHasBeans(this) +{ + this := new(hasBeans) + this.hasBeans := false + fold Grinder(this) +} + + +method GrinderAddBeans(this: Ref) + requires Grinder(this) + ensures Grinder(this) + ensures getHasBeans(this) + +method GrinderGrind(this: Ref) + requires Grinder(this) + requires getHasBeans(this) + ensures Grinder(this) + ensures !getHasBeans(this) + +field Level: Int + +predicate WaterTank(this: Ref) +{ + acc(this.Level) && 0 <= this.Level +} + + +function getLevel(this: Ref): Int + requires WaterTank(this) + ensures 0 <= result +{ + unfolding WaterTank(this) in + this.Level +} + +method WaterTankConstructor() returns (this: Ref) + ensures WaterTank(this) + ensures getLevel(this) == 0 +{ + this := new(Level) + this.Level := 0 + fold WaterTank(this) +} + + +method WaterTankFill(this: Ref) + requires WaterTank(this) + ensures WaterTank(this) + ensures getLevel(this) == 10 + +method WaterTankUse(this: Ref) + requires WaterTank(this) + requires getLevel(this) != 0 + ensures WaterTank(this) + ensures getLevel(this) == old(getLevel(this)) - 1 + + +predicate Cup(this: Ref) + + +method CupConstructor() returns (this: Ref) + ensures Cup(this) + + +field CMGrinder: Ref +field CMWaterTank: Ref + +predicate CoffeeMaker(this: Ref) +{ + acc(this.CMGrinder) && Grinder(this.CMGrinder) && + acc(this.CMWaterTank) && WaterTank(this.CMWaterTank) +} + +function getCoffeeMakerGrinder(this: Ref): Ref + requires CoffeeMaker(this) +{ + unfolding CoffeeMaker(this) in + this.CMGrinder +} + +function getCoffeeMakerWaterTank(this: Ref): Ref + requires CoffeeMaker(this) +{ + unfolding CoffeeMaker(this) in + this.CMWaterTank +} + + +method CoffeeMakerConstructor() returns (this: Ref) + ensures CoffeeMaker(this) + ensures unfolding CoffeeMaker(this) in !getHasBeans(this.CMGrinder) + ensures unfolding CoffeeMaker(this) in getLevel(this.CMWaterTank) == 0 +{ + this := new(CMGrinder, CMWaterTank) + this.CMGrinder := GrinderConstructor() + this.CMWaterTank := WaterTankConstructor() + fold CoffeeMaker(this) +} + + +function CoffeeMakerReady(this: Ref): Bool + requires CoffeeMaker(this) +{ + unfolding CoffeeMaker(this) in + getHasBeans(this.CMGrinder) && 2 <= getLevel(this.CMWaterTank) +} + + +method CoffeeMakerRestock(this: Ref) + requires CoffeeMaker(this) + ensures CoffeeMaker(this) + ensures CoffeeMakerReady(this) + ensures unfolding CoffeeMaker(this) in getHasBeans(this.CMGrinder) + ensures unfolding CoffeeMaker(this) in getLevel(this.CMWaterTank) == 10 +{ + unfold CoffeeMaker(this) + GrinderAddBeans(this.CMGrinder) + WaterTankFill(this.CMWaterTank) + fold CoffeeMaker(this) +} + +method CoffeeMakerDispense(this: Ref, double: Bool) returns (c: Ref) + requires CoffeeMaker(this) + requires CoffeeMakerReady(this) + ensures CoffeeMaker(this) + ensures unfolding CoffeeMaker(this) in !getHasBeans(this.CMGrinder) + ensures unfolding CoffeeMaker(this) in + double ==> getLevel(this.CMWaterTank) == old(unfolding CoffeeMaker(this) in getLevel(this.CMWaterTank)) - 2 + ensures unfolding CoffeeMaker(this) in + !double ==> getLevel(this.CMWaterTank) == old(unfolding CoffeeMaker(this) in getLevel(this.CMWaterTank)) - 1 + ensures Cup(c) +{ + unfold CoffeeMaker(this) + GrinderGrind(this.CMGrinder) + if (double) + { + WaterTankUse(this.CMWaterTank) + WaterTankUse(this.CMWaterTank) + } + else + { + WaterTankUse(this.CMWaterTank) + } + c := CupConstructor() + fold CoffeeMaker(this) +} + +method CoffeeMakerChangeGrinder(this: Ref) + requires CoffeeMaker(this) + ensures CoffeeMaker(this) + ensures unfolding CoffeeMaker(this) in !getHasBeans(this.CMGrinder) +{ + unfold CoffeeMaker(this) + this.CMGrinder := GrinderConstructor() + fold CoffeeMaker(this) +} + +method CoffeeMakerInstallCustomGrinder(this: Ref, grinder: Ref) + requires CoffeeMaker(this) + requires Grinder(grinder) + ensures CoffeeMaker(this) + ensures unfolding CoffeeMaker(this) in old(getHasBeans(grinder)) == getHasBeans(this.CMGrinder) +{ + unfold CoffeeMaker(this) + this.CMGrinder := grinder + fold CoffeeMaker(this) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/dafny/exercises-16.0.vpr b/src/test/resources/biabduction/dafny/exercises-16.0.vpr new file mode 100644 index 00000000..99a04fba --- /dev/null +++ b/src/test/resources/biabduction/dafny/exercises-16.0.vpr @@ -0,0 +1,139 @@ +//import "examples-16.0.vpr" +field checksumData: Int + +// Exercise 16.3 +/** + * This is a quick implementation of the ChecksumMachine with an additional + * field ocs, which is an optional checksum value. The checksum value will only + * be computed if it is not already present in the ocs field. If a checksum is + * present, it will be returned instead of recomputing it. When the + * checksumData value changes, the ocs field will be reset to None. This avoids + * an additional computation of the checksum value because we would have to + * check if the ocs value is still correct. + * Because the implementation is a variation of already seen and explained code, + * we will not go into detail about the individual code sections. + */ +adt Option[T] { + Some(value: T) + None() +} + +field ocs: Option[Int] + +predicate ChecksumMachineOCS(this: Ref) +{ + acc(this.checksumData) && 0 <= this.checksumData && + acc(this.ocs) +} + +method ChecksumMachineOCSConstructor() returns (this: Ref) + ensures ChecksumMachineOCS(this) + ensures unfolding ChecksumMachineOCS(this) in this.checksumData == 0 + ensures unfolding ChecksumMachineOCS(this) in this.ocs.isNone +{ + this := new(checksumData, ocs) + this.checksumData := 0 + this.ocs := None() + fold ChecksumMachineOCS(this) +} + +method AppendOCS(this: Ref, d: Int) + requires ChecksumMachineOCS(this) + requires 0 <= d + ensures ChecksumMachineOCS(this) + ensures unfolding ChecksumMachineOCS(this) in this.checksumData == old(unfolding ChecksumMachineOCS(this) in this.checksumData) + d + ensures unfolding ChecksumMachineOCS(this) in this.ocs.isNone +{ + unfold ChecksumMachineOCS(this) + this.checksumData := this.checksumData + d + this.ocs := None() + fold ChecksumMachineOCS(this) +} + +method ChecksumOCS(this: Ref) returns (checksum: Int) + requires ChecksumMachineOCS(this) + //requires unfolding ChecksumMachineOCS(this) in this.ocs.isNone || this.ocs.value == Hash(this.checksumData) + ensures ChecksumMachineOCS(this) + ensures unfolding ChecksumMachineOCS(this) in this.checksumData == old(unfolding ChecksumMachineOCS(this) in this.checksumData) + //ensures unfolding ChecksumMachineOCS(this) in checksum == Hash(this.checksumData) + ensures unfolding ChecksumMachineOCS(this) in this.ocs == Some(checksum) +{ + unfold ChecksumMachineOCS(this) + if (this.ocs.isNone) + { + this.ocs := Some(this.checksumData % 137) + } + checksum := this.ocs.value + fold ChecksumMachineOCS(this) +} + +// Exercise 16.4 +/** + * This is a simple implementation of a ledger system, where we can deposit and + * withdraw a value. All transactions are stored in a sequence and the balance + * is the sum of all transactions. The balance cannot be negative. + * At the time of writing the Silicon symbolic execution backend is unable to + * verify the presented code, while the Carbon condition generation backend is + * able to verify the presented code. + */ +/* function Sum(s: Seq[Int]): Int +{ + (|s| == 0) ? 0 : s[0] + Sum(s[1..]) +} + +field LedgerTransactions: Seq[Int] +field LedgerBalance: Int + +predicate Ledger(this: Ref) +{ + acc(this.LedgerTransactions) && + acc(this.LedgerBalance) && 0 <= this.LedgerBalance && + this.LedgerBalance == Sum(this.LedgerTransactions) +} + +method LedgerConstructor() returns (this: Ref) + ensures Ledger(this) + ensures unfolding Ledger(this) in this.LedgerTransactions == Seq() + ensures unfolding Ledger(this) in this.LedgerBalance == 0 +{ + this := new(LedgerTransactions, LedgerBalance) + this.LedgerTransactions := Seq() + this.LedgerBalance := 0 + fold Ledger(this) +} + +method LedgerDeposit(this: Ref, n: Int) + requires Ledger(this) + requires 0 <= n + ensures Ledger(this) + ensures unfolding Ledger(this) in this.LedgerTransactions == Seq(n) ++ old(unfolding Ledger(this) in this.LedgerTransactions) + ensures unfolding Ledger(this) in this.LedgerBalance == n + old(unfolding Ledger(this) in this.LedgerBalance) +{ + unfold Ledger(this) + this.LedgerTransactions := Seq(n) ++ this.LedgerTransactions + this.LedgerBalance := this.LedgerBalance + n + fold Ledger(this) +} + +method LedgerWithdraw(this: Ref, n: Int) + requires Ledger(this) + requires 0 <= n + requires unfolding Ledger(this) in n <= this.LedgerBalance + ensures Ledger(this) + ensures unfolding Ledger(this) in this.LedgerTransactions == Seq(-n) ++ old(unfolding Ledger(this) in this.LedgerTransactions) + ensures unfolding Ledger(this) in this.LedgerBalance == old(unfolding Ledger(this) in this.LedgerBalance) - n +{ + unfold Ledger(this) + this.LedgerTransactions := Seq(-n) ++ this.LedgerTransactions + this.LedgerBalance := this.LedgerBalance - n + fold Ledger(this) +} + +method LedgerTestHarness() +{ + var l: Ref := LedgerConstructor() + LedgerDeposit(l, 100) + LedgerDeposit(l, 200) + LedgerWithdraw(l, 50) + assert unfolding Ledger(l) in l.LedgerBalance == 250 +} */ \ No newline at end of file diff --git a/src/test/resources/biabduction/dafny/exercises-16.1.vpr b/src/test/resources/biabduction/dafny/exercises-16.1.vpr new file mode 100644 index 00000000..ea358c5c --- /dev/null +++ b/src/test/resources/biabduction/dafny/exercises-16.1.vpr @@ -0,0 +1,275 @@ +import "examples-16.1.vpr" + +// Exercise 16.5 +/** + * Skipped because it is textual. + */ + +// Exercise 16.6 +/** + * This is a modification of the Tokenizer code from the section 16.1 where we + * have two additional functions IsStart and IsFollow. Is start determines if + * the given character is a letter and IsFollow determines if the given character + * is a letter or a digit. With that we can modify the Read method to only + * allow Identifier tokens to start with a letter and follow with a letter or a + * digit. The change is only in the "read token" part of the method and if a + * faulty Identifier token is found, the method will return the Error category. + */ +function IsStart(ch: Int, cat: Category): Bool + requires !cat.isEnd + requires 0 <= ch <= 127 +{ + Is(ch, Identifier()) +} + +function IsFollow(ch: Int, cat: Category): Bool + requires !cat.isEnd + requires 0 <= ch <= 127 +{ + Is(ch, Identifier()) || Is(ch, Number()) +} + +method ReadModifedIdentifier(this: Ref) returns (cat: Category, p: Int, token: Seq[Int]) + requires Tokenizer(this) + ensures 0 <= p + ensures Tokenizer(this) + ensures getSource(this) == old(getSource(this)) + ensures !cat.isWhitespace + ensures old(getN(this)) <= p <= getN(this) <= |getSource(this)| + ensures cat.isEnd <==> p == |getSource(this)| + ensures cat.isEnd || cat.isError <==> p == getN(this) + ensures forall i: Int :: old(getN(this)) <= i < p ==> + Is(getSource(this)[i], Whitespace()) + ensures forall i: Int :: p <= i < getN(this) ==> Is(getSource(this)[i], cat) + ensures p < getN(this) ==> getN(this) == |getSource(this)| || !Is(getSource(this)[getN(this)], cat) + ensures token == getSource(this)[p..getN(this)] + // New + ensures cat.isIdentifier ==> IsStart(token[0], cat) && forall i: Int :: 1 <= i < |token| ==> IsFollow(token[i], cat) +{ + // skip whitespace + while (getN(this) != |getSource(this)| && Is(getSource(this)[getN(this)], Whitespace())) + invariant Tokenizer(this) + invariant getSource(this) == old(getSource(this)) + invariant old(getN(this)) <= getN(this) <= |getSource(this)| + invariant forall i: Int :: old(getN(this)) <= i < getN(this) ==> Is(getSource(this)[i], Whitespace()) + { + unfold Tokenizer(this) + this.n := this.n + 1 + fold Tokenizer(this) + } + p := getN(this) + // determine syntactic category + var return: Bool := false + if (getN(this) == |getSource(this)|) + { + cat := End() + token := Seq() + return := true + } + elseif (Is(getSource(this)[getN(this)], Identifier())) + { + cat := Identifier() + } + elseif (Is(getSource(this)[getN(this)], Number())) + { + cat := Number() + } + elseif (Is(getSource(this)[getN(this)], Operator())) + { + cat := Operator() + } + else + { + cat := Error() + token := Seq() + return := true + } + // read token + if (!return) + { + var start: Int := getN(this) + if (cat.isIdentifier && !IsStart(getSource(this)[getN(this)], cat)) + { + return := true + } + else + { + unfold Tokenizer(this) + this.n := this.n + 1 + fold Tokenizer(this) + while (getN(this) != |getSource(this)| && Is(getSource(this)[getN(this)], cat) && !return) + invariant Tokenizer(this) + invariant getSource(this) == old(getSource(this)) + invariant p <= getN(this) <= |getSource(this)| + invariant forall i: Int :: p <= i < getN(this) ==> Is(getSource(this)[i], cat) + { + if (cat.isIdentifier && !IsFollow(getSource(this)[getN(this)], cat)) + { + return := true + } + else + { + unfold Tokenizer(this) + this.n := this.n + 1 + fold Tokenizer(this) + } + } + } + if (return) + { + cat := Error() + token := Seq() + unfold Tokenizer(this) + this.n := p + fold Tokenizer(this) + } + else + { + token := getSource(this)[start..getN(this)] + } + } +} + +// Exercise 16.7 +/** + * This is a modification of the Tokenizer code from the section 16.1 where we + * have the ability to prune the input string, or sequence of ASCII code + * integers. For that, we track three + * additional fields suffix, m and j. The suffix field is the remaining part of + * the input string that has not been pruned. The m field tracks how many + * characters have been pruned from the input string and the j field tracks how + * many characters have been read from the suffix without pruning. We still + * maintain the source field for specification purposes, but we only use the + * suffix field for program logic. We also add a new method + * TokenizerWithPruningPrune that prunes the input string to the current read + * position m + j == n. + */ +field suffix: Seq[Int] +field m: Int +field j: Int + +predicate TokenizerWithPruning(this: Ref) +{ + acc(this.source) && acc(this.suffix) && acc(this.m) && acc(this.j) && + acc(this.n) && 0 <= this.n <= |this.source| && + this.suffix == this.source[this.m..] && this.m + this.j == this.n && + 0 <= this.m <= this.n && 0 <= this.j <= |this.suffix| && + forall i: Int :: 0 <= i < |this.source| ==> 0 <= this.source[i] <= 127 +} + +method TokenizerWithPruningConstructor(s: Seq[Int]) returns (this: Ref) + requires forall i: Int :: 0 <= i < |s| ==> 0 <= s[i] <= 127 + ensures TokenizerWithPruning(this) + ensures unfolding TokenizerWithPruning(this) in this.source == s && + this.suffix == s && this.m == 0 && this.j == 0 && this.n == 0 +{ + this := new(source, suffix, m, j, n) + this.source := s + this.suffix := s + this.m := 0 + this.j := 0 + this.n := 0 + fold TokenizerWithPruning(this) +} + +method TokenizerWithPruningPrune(this: Ref) + requires TokenizerWithPruning(this) + ensures TokenizerWithPruning(this) + ensures unfolding TokenizerWithPruning(this) in this.m == this.n && this.j == 0 + ensures unfolding TokenizerWithPruning(this) in this.suffix == this.source[this.m..] +{ + unfold TokenizerWithPruning(this) + this.m := this.n + this.j := 0 + this.suffix := this.source[this.m..] + fold TokenizerWithPruning(this) + +} + +method ReadWithPruning(this: Ref) returns (cat: Category, p: Int, token: Seq[Int]) + requires TokenizerWithPruning(this) + ensures 0 <= p + ensures TokenizerWithPruning(this) + ensures unfolding TokenizerWithPruning(this) in this.source == old(unfolding TokenizerWithPruning(this) in this.source) + ensures unfolding TokenizerWithPruning(this) in this.m == old(unfolding TokenizerWithPruning(this) in this.m) + ensures !cat.isWhitespace + ensures unfolding TokenizerWithPruning(this) in old(unfolding TokenizerWithPruning(this) in this.n) <= p <= this.n <= |this.source| + ensures unfolding TokenizerWithPruning(this) in cat.isEnd <==> p == |this.source| + ensures unfolding TokenizerWithPruning(this) in cat.isEnd || cat.isError <==> p == this.n + ensures unfolding TokenizerWithPruning(this) in forall i: Int :: old(unfolding TokenizerWithPruning(this) in this.n) <= i < p ==> + Is(this.source[i], Whitespace()) + ensures unfolding TokenizerWithPruning(this) in forall i: Int :: p <= i < this.n ==> Is(this.source[i], cat) + ensures unfolding TokenizerWithPruning(this) in p < this.n ==> this.n == |this.source| || !Is(this.source[this.n], cat) + ensures unfolding TokenizerWithPruning(this) in token == this.suffix[p-this.m..this.j] +{ + unfold TokenizerWithPruning(this) + assert 0 <= this.j <= |this.suffix| + fold TokenizerWithPruning(this) + // skip whitespace + while (unfolding TokenizerWithPruning(this) in this.j != |this.suffix| && Is(this.suffix[this.j], Whitespace())) + invariant TokenizerWithPruning(this) + invariant unfolding TokenizerWithPruning(this) in this.m == old(unfolding TokenizerWithPruning(this) in this.m) + invariant unfolding TokenizerWithPruning(this) in this.source == old(unfolding TokenizerWithPruning(this) in this.source) + invariant unfolding TokenizerWithPruning(this) in old(unfolding TokenizerWithPruning(this) in this.n) <= this.n <= |this.source| + invariant unfolding TokenizerWithPruning(this) in forall i: Int :: old(unfolding TokenizerWithPruning(this) in this.n) <= i < this.n ==> Is(this.source[i], Whitespace()) + { + unfold TokenizerWithPruning(this) + this.n := this.n + 1 + this.j := this.j + 1 + fold TokenizerWithPruning(this) + } + unfold TokenizerWithPruning(this) + p := this.n + fold TokenizerWithPruning(this) + // determine syntactic category + var return: Bool := false + if (unfolding TokenizerWithPruning(this) in this.n == |this.source|) + { + cat := End() + token := Seq() + return := true + } + elseif (unfolding TokenizerWithPruning(this) in Is(this.source[this.n], Identifier())) + { + cat := Identifier() + } + elseif (unfolding TokenizerWithPruning(this) in Is(this.source[this.n], Number())) + { + cat := Number() + } + elseif (unfolding TokenizerWithPruning(this) in Is(this.source[this.n], Operator())) + { + cat := Operator() + } + else + { + cat := Error() + token := Seq() + return := true + assert unfolding TokenizerWithPruning(this) in p - this.m == this.j + } + // read token + if (!return) + { + unfold TokenizerWithPruning(this) + var start: Int := this.j + this.n := this.n + 1 + this.j := this.j + 1 + fold TokenizerWithPruning(this) + while (unfolding TokenizerWithPruning(this) in this.n != |this.source| && Is(this.source[this.n], cat)) + invariant TokenizerWithPruning(this) + invariant unfolding TokenizerWithPruning(this) in this.m == old(unfolding TokenizerWithPruning(this) in this.m) + invariant unfolding TokenizerWithPruning(this) in this.source == old(unfolding TokenizerWithPruning(this) in this.source) + invariant unfolding TokenizerWithPruning(this) in p <= this.n <= |this.source| + invariant unfolding TokenizerWithPruning(this) in forall i: Int :: p <= i < this.n ==> Is(this.source[i], cat) + { + unfold TokenizerWithPruning(this) + this.n := this.n + 1 + this.j := this.j + 1 + fold TokenizerWithPruning(this) + } + unfold TokenizerWithPruning(this) + token := this.suffix[start..this.j] + fold TokenizerWithPruning(this) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/dafny/exercises-16.2.vpr b/src/test/resources/biabduction/dafny/exercises-16.2.vpr new file mode 100644 index 00000000..4fb93717 --- /dev/null +++ b/src/test/resources/biabduction/dafny/exercises-16.2.vpr @@ -0,0 +1,36 @@ +import "examples-16.2.vpr" + +// Exercise 16.8 +/** + * This method is an extension of the CoffeeMaker code from 16.2. It removes + * the grinder from a given CoffeeMaker and returns it. The CoffeeMaker + * receives a new grinder without any beans inside. The state of the removed + * grinder is maintained. The harness tests its functionality. + */ +method CoffeemakerRemoveGrinder(this: Ref) returns (grinder: Ref) + requires CoffeeMaker(this) + ensures CoffeeMaker(this) + ensures Grinder(grinder) + ensures unfolding CoffeeMaker(this) in !getHasBeans(this.CMGrinder) + ensures getHasBeans(grinder) == old(unfolding CoffeeMaker(this) in getHasBeans(this.CMGrinder)) +{ + unfold CoffeeMaker(this) + grinder := this.CMGrinder + this.CMGrinder := GrinderConstructor() + fold CoffeeMaker(this) +} + +method RemoveGrinderHarness() +{ + var cm: Ref := CoffeeMakerConstructor() + var grinder: Ref := CoffeemakerRemoveGrinder(cm) + CoffeeMakerRestock(cm) + GrinderAddBeans(grinder) +} + +// Exercise 16.9 +/** + * This exercise wants to add representation sets to the basic implementation + * from 16.0. Because representation sets are not needed with Viper predicates, + * we do not need to solve this exercise. + */ \ No newline at end of file diff --git a/src/test/resources/biabduction/dafny/exercises-16.3.vpr b/src/test/resources/biabduction/dafny/exercises-16.3.vpr new file mode 100644 index 00000000..5d2b4853 --- /dev/null +++ b/src/test/resources/biabduction/dafny/exercises-16.3.vpr @@ -0,0 +1,16 @@ +// Exercise 16.10 +/** + * Skipped because it concerns representation sets only. + */ + +// Exercise 16.11 +/** + * The current implementation already supports the desired functionality + * because we do not need representation sets. + */ + +// Exercise 16.12 +/** + * You may also use the VSCode IDE with the Viper extension to get IDE + * functionality and support for your Viper programs. + */ \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/chalice/AVLTree.iterative.vpr b/src/test/resources/biabduction/frontends/chalice/AVLTree.iterative.vpr new file mode 100644 index 00000000..d7b31a14 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/AVLTree.iterative.vpr @@ -0,0 +1,232 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field root1 : Ref + +predicate valid1(this: Ref) { + acc(this.root1,write) + && (this.root1!=null ==> acc(valid(this.root1),write)) + && (this.root1!=null ==> acc(this.root1.parent,write)) + && (this.root1!=null ==> this.root1.parent==null) + && (this.root1!=null ==> acc(this.root1.root,1/2)) + && (this.root1!=null ==> this.root1.root==(this.root1)) +} + + +method init(this: Ref) + requires acc(this.root1,write); + ensures acc(valid1(this),write); +{ + this.root1 := null; + fold acc(valid1(this),write); +} + +method has(this:Ref, k : Int) returns (b : Bool) + requires acc(valid1(this),write); + ensures acc(valid1(this),write); +{ +var n : Ref +var end : Bool +var p : Ref +var q : Ref +var r : Ref + unfold acc(valid1(this),write); + if (this.root1==null){ + b := false; + fold acc(valid1(this),write); + }else{ + n := this.root1 + b := false; + end := false; + fold acc(udParentValid(n),write); + while (!end) + invariant acc(this.root1,write); + invariant this.root1 != null && acc(this.root1.parent,1/2); + invariant n!=null; + invariant acc(valid(n),write); + invariant acc(n.root,4/10); + invariant acc(udParentValid(n),write); + invariant unfolding acc(valid(n),write) in n.root==(this.root1); + invariant this.root1!=null; + { + unfold acc(valid(n),write); + unfold acc(validRest(n),write); + + if (n.key==k){ + b := true; + fold acc(validRest(n),write); + fold acc(valid(n),write); + end := true; + }else{ + if (n.keyunfolding acc(udParentValid(n),write) in n.parent==null; + { + unfold acc(udParentValid(n),write); + r := n.parent; + if (r==null){ + end := true; + fold acc(udParentValid(n),write); + }else{ + unfold acc(udValid(r),write); + if (r.left==n){ + unfold acc(leftOpen(r),write); + fold acc(leftValid(r),write); + }else{ + unfold acc(rightOpen(r),write); + fold acc(rightValid(r),write); + } + fold acc(validRest(r),write); + fold acc(valid(r),write); + n:=r; + } + } + unfold acc(udParentValid(n),write); + fold acc(valid1(this),write); + + } +} + + + + +// next class +field key : Int +field left : Ref +field right : Ref +field parent : Ref + +field leftDown : Bool +field root : Ref + +predicate valid(this: Ref){ + acc(validRest(this),write) + && acc(leftValid(this),write) + && acc(rightValid(this),write) +} + +predicate validRest(this: Ref){ + acc(this.key ,write) + && acc(this.root, 3/10) + && acc(this.left ,3/4) + && acc(this.right ,3/4) + && acc(this.leftDown,write) + && (this.right!=(this.left) || this.right==null) +} + +predicate rightValid(this: Ref){ + acc(this.right ,1/4) + && acc(this.root,1/10) + && (this.right!=null ==> acc(valid(this.right),write)) + && (this.right!=null ==> acc(this.right.parent,write)) + && (this.right!=null ==> this.right.parent==this) + && (this.right!=null ==> acc(this.right.root,1/2)) + && (this.right!=null ==> this.right.root==(this.root)) +} +predicate leftValid(this: Ref){ + acc(this.left ,1/4) + && acc(this.root,1/10) + && (this.left!=null ==> acc(valid(this.left),write)) + && (this.left!=null ==> acc(this.left.parent,write)) + && (this.left!=null ==> this.left.parent == this) + && (this.left!=null ==> acc(this.left.root,1/2)) + && (this.left!=null ==> this.left.root == (this.root)) +} + +predicate leftOpen(this: Ref){ + acc(this.left ,1/4) + && acc(this.root,1/10) + && (this.left!=null ==> acc(this.left.parent,1/2)) + && (this.left!=null ==> this.left.parent==this) +} + +predicate rightOpen(this: Ref){ + acc(this.right ,1/4) + && acc(this.root,1/10) + && (this.right!=null ==> acc(this.right.parent,1/2)) + && (this.right!=null ==> this.right.parent==this) +} + +predicate udParentValid(this: Ref) { + acc(this.parent,1/2) + && acc(this.root,1/10) + && (this.parent!=null ==> acc(udValid(this.parent),write)) + && (this.parent!=null ==> acc(this.parent.leftDown,1/2)) + && (this.parent!=null ==> acc(this.parent.left,1/2)) + && (this.parent!=null ==> ( this.parent.leftDown <==> this.parent.left==this)) + && (this.parent!=null ==> acc(this.parent.right,1/2)) + && (this.parent!=null ==> (!(this.parent.leftDown)<==>this.parent.right==this)) + && (this.parent!=null ==> acc(this.parent.root,1/2)) + && (this.parent!=null ==> this.root==(this.parent.root)) + && (this.parent==null ==> this.root==this) +} + +predicate udValid(this: Ref){ + acc(this.key ,write) + && acc(this.leftDown,1/2) + && acc(this.left ,1/4) + && acc(this.right ,1/4) + && acc(this.root ,1/5) + && ( this.leftDown ==> acc(rightValid(this),write)) + && ( this.leftDown ==> acc(leftOpen(this),write) ) + && ((this.leftDown ==> false) ==> acc(leftValid(this),write) ) + && ((this.leftDown ==> false) ==> acc(rightOpen(this),write) ) + && acc(udParentValid(this),write) +} + +method init_2(this:Ref, k : Int) + requires acc(this.key ,write); + requires acc(this.left ,write); + requires acc(this.right ,write); + requires acc(this.leftDown ,write); + requires acc(this.root, write); + ensures acc(valid(this),write); +{ + this.left := null; + this.right := null; + this.key := k; + + fold acc(leftValid(this),write); + fold acc(rightValid(this),write); + fold acc(validRest(this),write); + fold acc(valid(this),write); +} diff --git a/src/test/resources/biabduction/frontends/chalice/FoldUnfoldExperiments.vpr b/src/test/resources/biabduction/frontends/chalice/FoldUnfoldExperiments.vpr new file mode 100644 index 00000000..966919b9 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/FoldUnfoldExperiments.vpr @@ -0,0 +1,39 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + field x: Int + field y: Int + + predicate X(this: Ref) { acc(this.x, write) } + + predicate Y(this: Ref) { acc(this.y, write) } + + function getX(this: Ref): Int + requires acc(X(this), write) + { unfolding acc(X(this), write) in this.x } + + function getY(this: Ref): Int + requires acc(Y(this), write) + { unfolding acc(Y(this), write) in this.y } + + method setX(this: Ref, v: Int) + requires acc(X(this), write) + ensures acc(X(this), write) && getX(this) == v + { + unfold acc(X(this), write) + this.x := v + fold acc(X(this), write) + } + + method check(this: Ref) + requires acc(this.x, write) && acc(this.y, write) + ensures acc(this.y, write) && this.y == 2 + ensures acc(X(this), write) && getX(this) == 3 + { + this.x := 1 + this.y := 2 + fold acc(X(this), write) + fold acc(Y(this), write) + setX(this, 3); + unfold acc(Y(this), write) + } diff --git a/src/test/resources/biabduction/frontends/chalice/RingBufferRd.vpr b/src/test/resources/biabduction/frontends/chalice/RingBufferRd.vpr new file mode 100644 index 00000000..dabfe820 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/RingBufferRd.vpr @@ -0,0 +1,137 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field data: Seq[Int]; // the storage +field first: Int; // index of the first element in the queue +field len: Int; // number of elements in the queue + +predicate Valid(this: Ref) { + acc(this.data, write) && acc(this.first, write) && acc(this.len, write) && + 0 <= this.first && 0 <= this.len && + (|this.data| == 0 ==> this.len == 0 && this.first == 0) && + (|this.data| > 0 ==> this.len <= |this.data| && this.first < |this.data|) +} + +function Contents(this: Ref): Seq[Int] + requires acc(Valid(this), wildcard) + { + unfolding acc(Valid(this), wildcard) in + |this.data| == 0 ? Seq[Int]() + : (this.first + this.len <= |this.data| ? this.data[this.first..this.first+this.len] + : this.data[this.first..] ++ this.data[..this.first+this.len-|this.data|]) + } + +function Capacity(this: Ref): Int + requires acc(Valid(this), wildcard) + { + unfolding acc(Valid(this), wildcard) in |this.data| + } + + method Create(this: Ref, n: Int) + requires 0 <= n; + requires acc(this.data, write) && acc(this.first, write) && acc(this.len, write); + ensures acc(Valid(this), write); + ensures Contents(this) == Seq[Int]() && Capacity(this) == n; + { + // simulate creating an array of length n + var i: Int; + i := n; + this.data := Seq[Int](); + while(0 < i) + invariant acc(this.data, write) && 0 <= i && |this.data| == n - i; + { + this.data := this.data ++ Seq(0); + i := i - 1; + } + this.first := 0; + this.len := 0; + fold acc(Valid(this), write); + } + +method Clear(this: Ref) + requires acc(Valid(this), write); + ensures acc(Valid(this), write); + ensures Contents(this) == Seq[Int]() && Capacity(this) == old(Capacity(this)); + { + unfold acc(Valid(this), write); + this.len := 0; + fold acc(Valid(this), write); + } + +method Head(this: Ref) returns (x: Int) + requires acc(Valid(this), wildcard); + requires Contents(this) != Seq[Int](); + ensures acc(Valid(this), wildcard); + ensures Contents(this) == old(Contents(this)) && x == Contents(this)[0]; + ensures Capacity(this) == old(Capacity(this)); + { + unfold acc(Valid(this), wildcard); + x := this.data[this.first]; + fold acc(Valid(this), wildcard); + } + + function HeadF(this: Ref): Int + requires acc(Valid(this), wildcard); + requires Contents(this) != Seq[Int](); + ensures result == Contents(this)[0]; + { + unfolding acc(Valid(this), wildcard) in this.data[this.first] + } + + method Push(this: Ref, x: Int) + requires acc(Valid(this), write); + requires |Contents(this)| != Capacity(this); + ensures acc(Valid(this), write); + ensures Contents(this) == old(Contents(this)) ++ Seq(x); + ensures Capacity(this) == old(Capacity(this)); + { + unfold acc(Valid(this), write); + var nextEmpty: Int; + if (this.first + this.len < |this.data|) + { + nextEmpty := this.first + this.len; + } + else + { + nextEmpty := this.first + this.len - |this.data|; + } + this.data := this.data[..nextEmpty] ++ Seq(x) ++ this.data[nextEmpty+1..]; + this.len := this.len + 1; + fold acc(Valid(this), write); + } + + method Pop(this: Ref) returns (x: Int) + requires acc(Valid(this), write); + requires Contents(this) != Seq(1)[1..]; + ensures acc(Valid(this), write); + ensures x == old(Contents(this))[0] && Contents(this) == old(Contents(this))[1..] && Capacity(this) == old(Capacity(this)); + { + unfold acc(Valid(this), write); + x := this.data[this.first]; + if(this.first + 1 == |this.data|) + { + this.first := 0; + } + else + { + this.first := this.first + 1; + } + this.len := this.len - 1; + fold acc(Valid(this), write); + } + + method TestHarness(x: Int, y: Int, z: Int) + { + var b: Ref; + b := new(*); + Create(b, 2); + Push(b, x); + Push(b, y); + var h: Int; + h := Pop(b); assert h == x; + Push(b, z); + h := Pop(b); assert h == y; + h := Pop(b); assert h == z; + assert Capacity(b) == 2; + } + diff --git a/src/test/resources/biabduction/frontends/chalice/internal-bug-7.vpr b/src/test/resources/biabduction/frontends/chalice/internal-bug-7.vpr new file mode 100644 index 00000000..5cc19367 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/internal-bug-7.vpr @@ -0,0 +1,19 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + field n: Ref + predicate P(this: Ref) { acc(this.n, write) && (((this.n) != (null)) ==> acc(P(this.n), write)) } + function length(this: Ref): Int + requires acc(P(this), write) + ensures result >= 1 + { (unfolding acc(P(this), write) in 1 + (((this.n) == (null)) ? 0 : length(this.n))) } + method test(this: Ref, node: Ref) + requires ((node) != (null)) + requires acc(P(node), write) + { + assert (length(node) >= 1) + //assert (unfolding acc(node.P(), rd) in (((node.n) == (null))) ==> ((length(node)) == (1))) + //assert (unfolding acc(node.P(), rd) in (((node.n) != (null))) ==> ((length(node)) > 1)) + //assert ((length(node)) == (1)) ==> (unfolding acc(node.P(), rd) in ((node.n) == (null))) + //assert ((length(node)) == (1)) <==> (unfolding acc(node.P(), rd) in ((node.n) == (null))) + } diff --git a/src/test/resources/biabduction/frontends/chalice/swap.vpr b/src/test/resources/biabduction/frontends/chalice/swap.vpr new file mode 100644 index 00000000..5e730950 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/swap.vpr @@ -0,0 +1,20 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + method m(this: Ref, a: Int, b: Int) returns (x: Int, y: Int) + ensures ((x) == (a)) && ((y) == (b)) + { + x := a + y := b + } + field F: Int + field G: Int + method n(this: Ref) + requires acc(this.F, write) && acc(this.G, write) + ensures acc(this.F, write) && acc(this.G, write) + ensures ((this.F) == (old(this.G))) && ((this.G) == (old(this.F))) + { + var tmp: Int := this.F + this.F := this.G + this.G := tmp + } diff --git a/src/test/resources/biabduction/frontends/chalice/test1.vpr b/src/test/resources/biabduction/frontends/chalice/test1.vpr new file mode 100644 index 00000000..a8b83cdb --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/test1.vpr @@ -0,0 +1,45 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + field value: Int + field next: Ref + predicate inv(this: Ref) { acc(this.value, write) && acc(this.next, write) && (((this.next) != (null)) ==> acc(inv(this.next), write)) } + function get(this: Ref): Int + requires acc(inv(this), write) + { (unfolding acc(inv(this), write) in this.value) } + method foo(this: Ref) + requires acc(inv(this), write) && (unfolding acc(inv(this), write) in ((this.next) != (null))) + ensures acc(inv(this), write) && (unfolding acc(inv(this), write) in ((this.next) != (null))) + { + unfold acc(inv(this), write) + this.value := 0 + unfold acc(inv(this.next), write) + this.next.value := 1 + fold acc(inv(this.next), write) + assert ((get(this.next)) == (1)) + assert ((this.value) == (0)) + fold acc(inv(this), write) + assert ((get(this)) == (0)) + assert (unfolding acc(inv(this), write) in ((this.next) != (null)) && ((get(this.next)) == (1))) + assert (unfolding acc(inv(this), write) in ((get(this.next)) == (1))) + } + method goo(this: Ref, a: Ref, b: Ref, c: Bool) + requires ((a) != (null)) && ((b) != (null)) && acc(inv(a), write) && acc(inv(b), write) + { + var z: Ref + unfold acc(inv(a), write) + unfold acc(inv(b), write) + a.value := 0 + b.value := 1 + if (c) { + z := a + } else { + z := b + } + fold acc(inv(z), write) + assert c ==> acc(inv(a), write) && ((get(a)) == (0)) + assert !c ==> acc(inv(b), write) && ((get(b)) == (1)) + unfold acc(inv(z), write) + assert ((a.value) == (0)) + assert ((b.value) == (1)) + } diff --git a/src/test/resources/biabduction/frontends/chalice/test10.vpr b/src/test/resources/biabduction/frontends/chalice/test10.vpr new file mode 100644 index 00000000..1e4c86c1 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/test10.vpr @@ -0,0 +1,15 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + field value: Int + field next: Ref + predicate inv(this: Ref) { acc(this.value, write) && acc(this.next, write) && (((this.next) != (null)) ==> acc(inv(this.next), write)) } + function get(this: Ref): Int + requires acc(inv(this), write) + { (unfolding acc(inv(this), write) in this.value) } + method foo(this: Ref) + requires acc(inv(this), write) && (unfolding acc(inv(this), write) in ((this.next) != (null))) + ensures acc(inv(this), write) && (unfolding acc(inv(this), write) in ((this.next) != (null))) + { + assert (unfolding acc(inv(this), write) in (unfolding acc(inv(this.next), write) in true)) + } diff --git a/src/test/resources/biabduction/frontends/chalice/test2.vpr b/src/test/resources/biabduction/frontends/chalice/test2.vpr new file mode 100644 index 00000000..cb4ceb45 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/test2.vpr @@ -0,0 +1,53 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + field x: Int + field y: Int + field z: Int + field w: Int + predicate X(this: Ref) { acc(this.x, write) } + predicate Y(this: Ref) { acc(this.y, write) } + predicate Z(this: Ref) { acc(this.z, write) } + function getX(this: Ref): Int + requires acc(X(this), write) + { (unfolding acc(X(this), write) in this.x) } + function getY(this: Ref): Int + requires acc(Y(this), write) + { (unfolding acc(Y(this), write) in this.y) } + function getZ(this: Ref): Int + requires acc(Z(this), write) + { (unfolding acc(Z(this), write) in this.z) } + method setX(this: Ref, v: Int) + requires acc(X(this), write) + ensures acc(X(this), write) && ((getX(this)) == (v)) + { + unfold acc(X(this), write) + this.x := v + fold acc(X(this), write) + } + method check(this: Ref) + requires acc(this.x, write) && acc(this.y, write) && acc(this.z, write) && acc(this.w, write) + ensures acc(this.y, write) && ((this.y) == (2)) && acc(X(this), write) && ((getX(this)) == (3)) && acc(Z(this), write) && ((getZ(this)) == (4)) && acc(this.w, write) && ((this.w) == (10)) + { + this.x := 1 + this.y := 2 + this.z := 4 + this.w := 10 + fold acc(X(this), write) + fold acc(Y(this), write) + fold acc(Z(this), write) + setX(this, 3); + unfold acc(Y(this), write) + } + method check1(this: Ref) + requires acc(X(this), write) && acc(this.y, write) && ((this.y) == (1)) + ensures acc(this.y, write) && ((this.y) == (1)) && acc(X(this), write) && ((getX(this)) == (200)) + { + setX(this, 10); + fold acc(Y(this), write) + setX(this, 100); + unfold acc(Y(this), write) + fold acc(Y(this), write) + unfold acc(Y(this), write) + setX(this, 200); + } diff --git a/src/test/resources/biabduction/frontends/chalice/test3.vpr b/src/test/resources/biabduction/frontends/chalice/test3.vpr new file mode 100644 index 00000000..d6b35cbf --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/test3.vpr @@ -0,0 +1,22 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + field value: Int + predicate inv(this: Ref) { acc(this.value, write) } + function get(this: Ref): Int + requires acc(inv(this), write) + { (unfolding acc(inv(this), write) in this.value) } + method set(this: Ref, newval: Int) + requires acc(inv(this), write) + ensures acc(inv(this), write) && ((get(this)) == (newval)) + { + unfold acc(inv(this), write) + this.value := newval + fold acc(inv(this), write) + } + method test(this: Ref) + requires acc(inv(this), write) + { + set(this, 3); + set(this, 4); + } diff --git a/src/test/resources/biabduction/frontends/chalice/test8.vpr b/src/test/resources/biabduction/frontends/chalice/test8.vpr new file mode 100644 index 00000000..a91245e2 --- /dev/null +++ b/src/test/resources/biabduction/frontends/chalice/test8.vpr @@ -0,0 +1,46 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + field value: Int + field next: Ref + predicate inv(this: Ref) { acc(this.value, write) } + predicate tinv(this: Ref) { acc(this.value, write) && acc(this.next, write) && (((this.next) != (null)) ==> acc(tinv(this.next), write)) } + function get(this: Ref): Int + requires acc(tinv(this), write) + { (unfolding acc(tinv(this), write) in this.value) } + method fufu(this: Ref) + requires acc(this.value, write) + { + fold acc(inv(this), write) + unfold acc(inv(this), write) + fold acc(inv(this), write) + unfold acc(inv(this), write) + } + method fuf(this: Ref) + requires acc(this.value, write) + { + fold acc(inv(this), write) + unfold acc(inv(this), write) + fold acc(inv(this), write) + } + method uf(this: Ref) + requires acc(inv(this), write) + { + unfold acc(inv(this), write) + fold acc(inv(this), write) + } + method fu(this: Ref) + requires acc(this.value, write) + { + fold acc(inv(this), write) + unfold acc(inv(this), write) + } + method t(this: Ref) + requires acc(tinv(this), write) && (unfolding acc(tinv(this), write) in ((this.next) != (null))) + ensures acc(tinv(this), write) && (unfolding acc(tinv(this), write) in ((this.next) != (null))) + { + unfold acc(tinv(this), write) + unfold acc(tinv(this.next), write) + fold acc(tinv(this.next), write) + fold acc(tinv(this), write) + } diff --git a/src/test/resources/biabduction/frontends/gobra/binary_search_tree.gobra.vpr b/src/test/resources/biabduction/frontends/gobra/binary_search_tree.gobra.vpr new file mode 100644 index 00000000..5d971afb --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/binary_search_tree.gobra.vpr @@ -0,0 +1,1876 @@ +domain String { + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit(): Int + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit()) == 0 + } +} + +domain Types { + + function empty_interface_Types(): Types + + unique function empty_interface_Types_tag(): Int + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + function nil_Types(): Types + + unique function nil_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + function tag_Types(t: Types): Int + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } +} + +domain ShStruct1[T0] { + + function ShStructrev0of1(v0: T0): ShStruct1[T0] + + function ShStructget0of1(x: ShStruct1[T0]): T0 + + axiom { + (forall x: ShStruct1[T0], y: ShStruct1[T0] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of1(x): T0) == (ShStructget0of1(y): T0))) + } + + axiom { + (forall x: ShStruct1[T0] :: + { (ShStructget0of1(x): T0) } + (ShStructrev0of1((ShStructget0of1(x): T0)): ShStruct1[T0]) == x) + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain Tuple1[T0] { + + function tuple1(t0: T0): Tuple1[T0] + + function get0of1(p: Tuple1[T0]): T0 + + axiom getter_over_tuple1 { + (forall t0: T0 :: + { (tuple1(t0): Tuple1[T0]) } + (get0of1((tuple1(t0): Tuple1[T0])): T0) == t0) + } + + axiom tuple1_over_getter { + (forall p: Tuple1[T0] :: + { (get0of1(p): T0) } + (tuple1((get0of1(p): T0)): Tuple1[T0]) == p) + } +} + +domain Tuple3[T0, T1, T2] { + + function tuple3(t0: T0, t1: T1, t2: T2): Tuple3[T0, T1, T2] + + function get0of3(p: Tuple3[T0, T1, T2]): T0 + + function get1of3(p: Tuple3[T0, T1, T2]): T1 + + function get2of3(p: Tuple3[T0, T1, T2]): T2 + + axiom getter_over_tuple3 { + (forall t0: T0, t1: T1, t2: T2 :: + { (tuple3(t0, t1, t2): Tuple3[T0, T1, T2]) } + (get0of3((tuple3(t0, t1, t2): Tuple3[T0, T1, T2])): T0) == t0 && + (get1of3((tuple3(t0, t1, t2): Tuple3[T0, T1, T2])): T1) == t1 && + (get2of3((tuple3(t0, t1, t2): Tuple3[T0, T1, T2])): T2) == t2) + } + + axiom tuple3_over_getter { + (forall p: Tuple3[T0, T1, T2] :: + { (get0of3(p): T0) } + { (get1of3(p): T1) } + { (get2of3(p): T2) } + (tuple3((get0of3(p): T0), (get1of3(p): T1), (get2of3(p): T2)): Tuple3[T0, T1, T2]) == + p) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain Option[T] { + + function optSome(e: T): Option[T] + + function optNone(): Option[T] + + function optGet(o: Option[T]): T + + function optIsNone(o: Option[T]): Bool + + axiom { + (forall e: T :: + { (optSome(e): Option[T]) } + (optGet((optSome(e): Option[T])): T) == e && + !(optIsNone((optSome(e): Option[T])): Bool)) + } + + axiom { + (forall o: Option[T] :: + { (optGet(o): T) } + !(optIsNone(o): Bool) ==> o == (optSome((optGet(o): T)): Option[T])) + } + + axiom { + (optIsNone((optNone(): Option[T])): Bool) + } + + axiom { + (forall o: Option[T] :: + { (optIsNone(o): Bool) } + o == (optNone(): Option[T]) || + (exists e: T :: { (optSome(e): Option[T]) } o == + (optSome(e): Option[T]))) + } +} + +domain WellFoundedOrder[T] { + + function decreasing(arg1: T, arg2: T): Bool + + function bounded(arg1: T): Bool +} + +field Intint$$$$_E_$$$: Int + +field PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$: ShStruct3[Ref, Ref, Ref] + +// decreases _ +function shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$(): ShStruct1[Ref] + ensures (ShStructget0of1(result): Ref) == null + + +// decreases _ +function shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$(): ShStruct3[Ref, Ref, Ref] + ensures (ShStructget0of3(result): Ref) == null && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Ref) == null + + +function IsEmpty_ff156c70_PMTree(t_V0: ShStruct1[Ref]): Bool + requires acc(tree_ff156c70_PMTree(t_V0), write) + ensures result == + (unfolding acc(tree_ff156c70_PMTree(t_V0), write) in + (ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) +{ + (unfolding acc(tree_ff156c70_PMTree(t_V0), write) in + (ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) +} + +function sorted_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], lowerBound_V0: Option[Int], + upperBound_V0: Option[Int]): Bool + requires acc(tree_ff156c70_PMnode(n_V0), wildcard) +{ + (unfolding acc(tree_ff156c70_PMnode(n_V0), wildcard) in + (!(lowerBound_V0 == (optNone(): Option[Int])) ? + (optGet(lowerBound_V0): Int) < + (ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$ : + true) && + (!(upperBound_V0 == (optNone(): Option[Int])) ? + (ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$ < + (optGet(upperBound_V0): Int) : + true) && + (!((ShStructget1of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ? + sorted_ff156c70_PMnode((ShStructget1of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + lowerBound_V0, (optSome((ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$): Option[Int])) : + true) && + (!((ShStructget2of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ? + sorted_ff156c70_PMnode((ShStructget2of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + (optSome((ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$): Option[Int]), + upperBound_V0) : + true)) +} + +function sortedValues_ff156c70_PMTree(t_V0: ShStruct1[Ref]): Seq[Int] + requires acc(tree_ff156c70_PMTree(t_V0), wildcard) + ensures (forall i_V1: Int :: + { result[i_V1] } + 0 <= i_V1 && i_V1 + 1 < |result| ==> result[i_V1] < result[i_V1 + 1]) +{ + (unfolding acc(tree_ff156c70_PMTree(t_V0), wildcard) in + ((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() ? + Seq[Int]() : + sortedValues_ff156c70_PMnode((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + (optNone(): Option[Int]), (optNone(): Option[Int])))) +} + +function sortedValues_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], lowerBound_V0: Option[Int], + upperBound_V0: Option[Int]): Seq[Int] + requires acc(tree_ff156c70_PMnode(n_V0), wildcard) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures (forall i_V1: Int :: + { result[i_V1] } + 0 <= i_V1 && i_V1 < |result| ==> + (!(lowerBound_V0 == (optNone(): Option[Int])) ==> + result[i_V1] > (optGet(lowerBound_V0): Int)) && + (!(upperBound_V0 == (optNone(): Option[Int])) ==> + result[i_V1] < (optGet(upperBound_V0): Int))) + ensures (forall i_V1: Int :: + { result[i_V1] } + 0 <= i_V1 && i_V1 + 1 < |result| ==> result[i_V1] < result[i_V1 + 1]) +{ + (unfolding acc(tree_ff156c70_PMnode(n_V0), wildcard) in + ((ShStructget1of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() ? + Seq[Int]() : + sortedValues_ff156c70_PMnode((ShStructget1of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + lowerBound_V0, (optSome((ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$): Option[Int]))) ++ + Seq((ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$) ++ + ((ShStructget2of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() ? + Seq[Int]() : + sortedValues_ff156c70_PMnode((ShStructget2of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + (optSome((ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$): Option[Int]), + upperBound_V0))) +} + +function pureContains_ff156c70_PMTree(t_V0: ShStruct1[Ref], value_V0: Int, dividend_V0: Int): Bool + requires dividend_V0 > 0 && + acc(tree_ff156c70_PMTree(t_V0), 1 / dividend_V0) +{ + (unfolding acc(tree_ff156c70_PMTree(t_V0), 1 / dividend_V0) in + !((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) && + (value_V0 in + sortedValues_ff156c70_PMnode((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + (optNone(): Option[Int]), (optNone(): Option[Int])))) +} + +// decreases +function IsDuplicableMem_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), wildcard) + + +predicate tree_ff156c70_PMTree(t_V0: ShStruct1[Ref]) { + acc((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_ff156c70_PMnode((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$), write) && + sorted_ff156c70_PMnode((ShStructget0of1(t_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + (optNone(): Option[Int]), (optNone(): Option[Int]))) +} + +predicate tree_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref]) { + acc((ShStructget0of3(n_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget1of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget2of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget1of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_ff156c70_PMnode((ShStructget1of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$), write)) && + (!((ShStructget2of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_ff156c70_PMnode((ShStructget2of3(n_V0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$), write)) +} + +predicate ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]) + +method NewTree_ff156c70_F() returns (t_V0: ShStruct1[Ref]) + ensures acc(tree_ff156c70_PMTree(t_V0), write) && + IsEmpty_ff156c70_PMTree(t_V0) +{ + inhale t_V0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // decl t_V0_CN0: *Tree_ff156c70_T@°° + { + var t_V0_CN0: ShStruct1[Ref] + + + + // init t_V0_CN0 + inhale t_V0_CN0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // decl N2: *Tree_ff156c70_T@°° + { + var N2: ShStruct1[Ref] + + // N2 = new(dflt[Tree_ff156c70_T°]) + { + var fn$$0: ShStruct1[Ref] + inhale (let fn$$1 == + (fn$$0) in + acc((ShStructget0of1(fn$$1): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write)) && + (let fn$$2 == + (fn$$0) in + (let fn$$3 == + ((tuple1(shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()): Tuple1[ShStruct3[Ref, Ref, Ref]])) in + (ShStructget0of1(fn$$2): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + (get0of1(fn$$3): ShStruct3[Ref, Ref, Ref]))) + N2 := fn$$0 + } + + // t_V0_CN0 = N2 + t_V0_CN0 := N2 + + // fold acc(t_V0_CN0.tree()) + fold acc(tree_ff156c70_PMTree(t_V0_CN0), write) + + // t_V0_CN0 = t_V0_CN0 + t_V0_CN0 := t_V0_CN0 + + // return + goto returnLabel + } + label returnLabel + + // t_V0 = t_V0_CN0 + t_V0 := t_V0_CN0 + } +} + +method Contains_ff156c70_PMTree(t_V0: ShStruct1[Ref], value_V0: Int, dividend_V0: Int) + returns (res_V0: Bool) + requires dividend_V0 > 0 + requires acc(tree_ff156c70_PMTree(t_V0), 1 / dividend_V0) + ensures acc(tree_ff156c70_PMTree(t_V0), 1 / dividend_V0) + ensures res_V0 == + pureContains_ff156c70_PMTree(t_V0, value_V0, dividend_V0) +{ + inhale res_V0 == false + + // decl t_V0_CN0: *Tree_ff156c70_T@°°, value_V0_CN1: int°°, dividend_V0_CN2: int°°, res_V0_CN3: bool°° + { + var res_V0_CN3: Bool + var dividend_V0_CN2: Int + var value_V0_CN1: Int + var t_V0_CN0: ShStruct1[Ref] + + + + // init t_V0_CN0 + inhale t_V0_CN0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // init dividend_V0_CN2 + inhale dividend_V0_CN2 == 0 + + // init res_V0_CN3 + inhale res_V0_CN3 == false + + // t_V0_CN0 = t_V0 + t_V0_CN0 := t_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // dividend_V0_CN2 = dividend_V0 + dividend_V0_CN2 := dividend_V0 + + // decl + + // unfold acc(t_V0_CN0.tree(), 1/dividend_V0_CN2) + unfold acc(tree_ff156c70_PMTree(t_V0_CN0), 1 / dividend_V0_CN2) + + // if(*t_V0_CN0.rootA == (nil:*node_ff156c70_T@°)) {...} else {...} + if ((ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) { + + // decl + + // res_V0_CN3 = false + res_V0_CN3 := false + } else { + + // decl N5: bool°° + { + var N5: Bool + + // N5 = *t_V0_CN0.rootAcontains(value_V0_CN1, dividend_V0_CN2, none[int°], none[int°]) + N5 := contains_ff156c70_PMnode((ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, dividend_V0_CN2, (optNone(): Option[Int]), (optNone(): Option[Int])) + + // res_V0_CN3 = N5 + res_V0_CN3 := N5 + } + } + + // fold acc(t_V0_CN0.tree(), 1/dividend_V0_CN2) + fold acc(tree_ff156c70_PMTree(t_V0_CN0), 1 / dividend_V0_CN2) + + // res_V0_CN3 = res_V0_CN3 + res_V0_CN3 := res_V0_CN3 + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN3 + res_V0 := res_V0_CN3 + } +} + +method contains_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], value_V0: Int, + dividend_V0: Int, lowerBound_V0: Option[Int], upperBound_V0: Option[Int]) + returns (res_V0: Bool) + requires dividend_V0 > 0 + requires acc(tree_ff156c70_PMnode(n_V0), 1 / dividend_V0) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures acc(tree_ff156c70_PMnode(n_V0), 1 / dividend_V0) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures res_V0 == + (value_V0 in + sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0)) +{ + inhale res_V0 == false + + // decl n_V0_CN0: *node_ff156c70_T@°°, value_V0_CN1: int°°, dividend_V0_CN2: int°°, lowerBound_V0_CN3: option[int°]°°, upperBound_V0_CN4: option[int°]°°, res_V0_CN5: bool°° + { + var res_V0_CN5: Bool + var upperBound_V0_CN4: Option[Int] + var lowerBound_V0_CN3: Option[Int] + var dividend_V0_CN2: Int + var value_V0_CN1: Int + var n_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init n_V0_CN0 + inhale n_V0_CN0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // init dividend_V0_CN2 + inhale dividend_V0_CN2 == 0 + + // init lowerBound_V0_CN3 + inhale lowerBound_V0_CN3 == (optNone(): Option[Int]) + + // init upperBound_V0_CN4 + inhale upperBound_V0_CN4 == (optNone(): Option[Int]) + + // init res_V0_CN5 + inhale res_V0_CN5 == false + + // n_V0_CN0 = n_V0 + n_V0_CN0 := n_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // dividend_V0_CN2 = dividend_V0 + dividend_V0_CN2 := dividend_V0 + + // lowerBound_V0_CN3 = lowerBound_V0 + lowerBound_V0_CN3 := lowerBound_V0 + + // upperBound_V0_CN4 = upperBound_V0 + upperBound_V0_CN4 := upperBound_V0 + + // decl + + // unfold acc(n_V0_CN0.tree(), 1/dividend_V0_CN2) + unfold acc(tree_ff156c70_PMnode(n_V0_CN0), 1 / dividend_V0_CN2) + + // if(*n_V0_CN0.valueA == value_V0_CN1) {...} else {...} + if ((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ == value_V0_CN1) { + + // decl + + // res_V0_CN5 = true + res_V0_CN5 := true + } else { + + // if(value_V0_CN1 < *n_V0_CN0.valueA && *n_V0_CN0.leftA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (value_V0_CN1 < (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ && + !((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N10: bool°° + { + var N10: Bool + + // N10 = *n_V0_CN0.leftAcontains(value_V0_CN1, dividend_V0_CN2, lowerBound_V0_CN3, some(*n_V0_CN0.valueA)) + N10 := contains_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, dividend_V0_CN2, lowerBound_V0_CN3, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int])) + + // res_V0_CN5 = N10 + res_V0_CN5 := N10 + } + } else { + + // if(value_V0_CN1 > *n_V0_CN0.valueA && *n_V0_CN0.rightA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (value_V0_CN1 > + (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ && + !((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N9: bool°° + { + var N9: Bool + + // N9 = *n_V0_CN0.rightAcontains(value_V0_CN1, dividend_V0_CN2, some(*n_V0_CN0.valueA), upperBound_V0_CN4) + N9 := contains_ff156c70_PMnode((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, dividend_V0_CN2, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + upperBound_V0_CN4) + + // res_V0_CN5 = N9 + res_V0_CN5 := N9 + } + } else { + + // decl + + // res_V0_CN5 = false + res_V0_CN5 := false + } + } + } + + // fold acc(n_V0_CN0.tree(), 1/dividend_V0_CN2) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), 1 / dividend_V0_CN2) + + // res_V0_CN5 = res_V0_CN5 + res_V0_CN5 := res_V0_CN5 + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN5 + res_V0 := res_V0_CN5 + } +} + +method Insert_ff156c70_PMTree(t_V0: ShStruct1[Ref], value_V0: Int) + requires acc(tree_ff156c70_PMTree(t_V0), write) + ensures acc(tree_ff156c70_PMTree(t_V0), write) + ensures (value_V0 in sortedValues_ff156c70_PMTree(t_V0)) + ensures |sortedValues_ff156c70_PMTree(t_V0)| == + old(|sortedValues_ff156c70_PMTree(t_V0)|) + + ((value_V0 in old(sortedValues_ff156c70_PMTree(t_V0))) ? 0 : 1) + ensures (forall i_V1: Int :: + { (i_V1 in old(sortedValues_ff156c70_PMTree(t_V0))) } + { (i_V1 in sortedValues_ff156c70_PMTree(t_V0)) } + (i_V1 in old(sortedValues_ff156c70_PMTree(t_V0))) ==> + (i_V1 in sortedValues_ff156c70_PMTree(t_V0))) + ensures (value_V0 in old(sortedValues_ff156c70_PMTree(t_V0))) ==> + old(sortedValues_ff156c70_PMTree(t_V0)) == + sortedValues_ff156c70_PMTree(t_V0) +{ + + // decl t_V0_CN0: *Tree_ff156c70_T@°°, value_V0_CN1: int°° + { + var value_V0_CN1: Int + var t_V0_CN0: ShStruct1[Ref] + + + + // init t_V0_CN0 + inhale t_V0_CN0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // t_V0_CN0 = t_V0 + t_V0_CN0 := t_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // decl + + // unfold acc(t_V0_CN0.tree()) + unfold acc(tree_ff156c70_PMTree(t_V0_CN0), write) + + // if(*t_V0_CN0.rootA == (nil:*node_ff156c70_T@°)) {...} else {...} + if ((ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) { + + // decl N11: *node_ff156c70_T@°° + { + var N11: ShStruct3[Ref, Ref, Ref] + + // N11 = new(node_ff156c70_T°{value_V0_CN1, dflt[*node_ff156c70_T@°], dflt[*node_ff156c70_T@°]}) + { + var fn$$0: ShStruct3[Ref, Ref, Ref] + inhale (let fn$$1 == + (fn$$0) in + acc((ShStructget0of3(fn$$1): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget1of3(fn$$1): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget2of3(fn$$1): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write)) && + (let fn$$2 == + (fn$$0) in + (let fn$$3 == + ((tuple3(value_V0_CN1, shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$(), + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()): Tuple3[Int, ShStruct3[Ref, Ref, Ref], ShStruct3[Ref, Ref, Ref]])) in + (ShStructget0of3(fn$$2): Ref).Intint$$$$_E_$$$ == + (get0of3(fn$$3): Int) && + (ShStructget1of3(fn$$2): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + (get1of3(fn$$3): ShStruct3[Ref, Ref, Ref]) && + (ShStructget2of3(fn$$2): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + (get2of3(fn$$3): ShStruct3[Ref, Ref, Ref]))) + N11 := fn$$0 + } + + // *t_V0_CN0.rootA = N11 + (ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N11 + + // fold acc(*t_V0_CN0.rootA.tree()) + fold acc(tree_ff156c70_PMnode((ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$), write) + } + } else { + + // decl + + // *t_V0_CN0.rootAinsert(value_V0_CN1, none[int°], none[int°]) + insert_ff156c70_PMnode((ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, (optNone(): Option[Int]), (optNone(): Option[Int])) + } + + // fold acc(t_V0_CN0.tree()) + fold acc(tree_ff156c70_PMTree(t_V0_CN0), write) + label returnLabel + } +} + +method insert_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], value_V0: Int, + lowerBound_V0: Option[Int], upperBound_V0: Option[Int]) + requires !(lowerBound_V0 == (optNone(): Option[Int])) ==> + (optGet(lowerBound_V0): Int) < value_V0 + requires !(upperBound_V0 == (optNone(): Option[Int])) ==> + (optGet(upperBound_V0): Int) > value_V0 + requires acc(tree_ff156c70_PMnode(n_V0), write) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures acc(tree_ff156c70_PMnode(n_V0), write) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures (value_V0 in + sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0)) + ensures |sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0)| == + old(|sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0)|) + + ((value_V0 in + old(sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0))) ? + 0 : + 1) + ensures (forall i_V1: Int :: + { (i_V1 in + old(sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0))) } + { (i_V1 in + sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0)) } + (i_V1 in + old(sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0))) ==> + (i_V1 in + sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0))) + ensures (value_V0 in + old(sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0))) ==> + old(sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0)) == + sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) +{ + + // decl n_V0_CN0: *node_ff156c70_T@°°, value_V0_CN1: int°°, lowerBound_V0_CN2: option[int°]°°, upperBound_V0_CN3: option[int°]°° + { + var upperBound_V0_CN3: Option[Int] + var lowerBound_V0_CN2: Option[Int] + var value_V0_CN1: Int + var n_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init n_V0_CN0 + inhale n_V0_CN0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // init lowerBound_V0_CN2 + inhale lowerBound_V0_CN2 == (optNone(): Option[Int]) + + // init upperBound_V0_CN3 + inhale upperBound_V0_CN3 == (optNone(): Option[Int]) + + // n_V0_CN0 = n_V0 + n_V0_CN0 := n_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // lowerBound_V0_CN2 = lowerBound_V0 + lowerBound_V0_CN2 := lowerBound_V0 + + // upperBound_V0_CN3 = upperBound_V0 + upperBound_V0_CN3 := upperBound_V0 + + // decl + + // unfold acc(n_V0_CN0.tree()) + unfold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // if(value_V0_CN1 < *n_V0_CN0.valueA) {...} else {...} + if (value_V0_CN1 < (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$) { + + // decl + + // if(*n_V0_CN0.leftA == (nil:*node_ff156c70_T@°)) {...} else {...} + if ((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) { + + // decl N16: *node_ff156c70_T@°° + { + var N16: ShStruct3[Ref, Ref, Ref] + + // N16 = new(node_ff156c70_T°{value_V0_CN1, dflt[*node_ff156c70_T@°], dflt[*node_ff156c70_T@°]}) + { + var fn$$0: ShStruct3[Ref, Ref, Ref] + inhale (let fn$$1 == + (fn$$0) in + acc((ShStructget0of3(fn$$1): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget1of3(fn$$1): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget2of3(fn$$1): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write)) && + (let fn$$2 == + (fn$$0) in + (let fn$$3 == + ((tuple3(value_V0_CN1, shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$(), + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()): Tuple3[Int, ShStruct3[Ref, Ref, Ref], ShStruct3[Ref, Ref, Ref]])) in + (ShStructget0of3(fn$$2): Ref).Intint$$$$_E_$$$ == + (get0of3(fn$$3): Int) && + (ShStructget1of3(fn$$2): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + (get1of3(fn$$3): ShStruct3[Ref, Ref, Ref]) && + (ShStructget2of3(fn$$2): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + (get2of3(fn$$3): ShStruct3[Ref, Ref, Ref]))) + N16 := fn$$0 + } + + // *n_V0_CN0.leftA = N16 + (ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N16 + + // fold acc(*n_V0_CN0.leftA.tree()) + fold acc(tree_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$), write) + } + } else { + + // decl + + // *n_V0_CN0.leftAinsert(value_V0_CN1, lowerBound_V0_CN2, some(*n_V0_CN0.valueA)) + insert_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, lowerBound_V0_CN2, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int])) + } + } else { + + // if(value_V0_CN1 > *n_V0_CN0.valueA) {...} else {...} + if (value_V0_CN1 > (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$) { + + // decl + + // if(*n_V0_CN0.rightA == (nil:*node_ff156c70_T@°)) {...} else {...} + if ((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) { + + // decl N15: *node_ff156c70_T@°° + { + var N15: ShStruct3[Ref, Ref, Ref] + + // N15 = new(node_ff156c70_T°{value_V0_CN1, dflt[*node_ff156c70_T@°], dflt[*node_ff156c70_T@°]}) + { + var fn$$4: ShStruct3[Ref, Ref, Ref] + inhale (let fn$$5 == + (fn$$4) in + acc((ShStructget0of3(fn$$5): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget1of3(fn$$5): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget2of3(fn$$5): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, write)) && + (let fn$$6 == + (fn$$4) in + (let fn$$7 == + ((tuple3(value_V0_CN1, shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$(), + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()): Tuple3[Int, ShStruct3[Ref, Ref, Ref], ShStruct3[Ref, Ref, Ref]])) in + (ShStructget0of3(fn$$6): Ref).Intint$$$$_E_$$$ == + (get0of3(fn$$7): Int) && + (ShStructget1of3(fn$$6): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + (get1of3(fn$$7): ShStruct3[Ref, Ref, Ref]) && + (ShStructget2of3(fn$$6): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + (get2of3(fn$$7): ShStruct3[Ref, Ref, Ref]))) + N15 := fn$$4 + } + + // *n_V0_CN0.rightA = N15 + (ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N15 + + // fold acc(*n_V0_CN0.rightA.tree()) + fold acc(tree_ff156c70_PMnode((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$), write) + } + } else { + + // decl + + // *n_V0_CN0.rightAinsert(value_V0_CN1, some(*n_V0_CN0.valueA), upperBound_V0_CN3) + insert_ff156c70_PMnode((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + upperBound_V0_CN3) + } + } + } + + // fold acc(n_V0_CN0.tree()) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + label returnLabel + } +} + +method Delete_ff156c70_PMTree(t_V0: ShStruct1[Ref], value_V0: Int) + requires acc(tree_ff156c70_PMTree(t_V0), write) + ensures acc(tree_ff156c70_PMTree(t_V0), write) + ensures !((value_V0 in sortedValues_ff156c70_PMTree(t_V0))) +{ + + // decl t_V0_CN0: *Tree_ff156c70_T@°°, value_V0_CN1: int°° + { + var value_V0_CN1: Int + var t_V0_CN0: ShStruct1[Ref] + + + + // init t_V0_CN0 + inhale t_V0_CN0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // t_V0_CN0 = t_V0 + t_V0_CN0 := t_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // decl + + // unfold acc(t_V0_CN0.tree()) + unfold acc(tree_ff156c70_PMTree(t_V0_CN0), write) + + // if(*t_V0_CN0.rootA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N3: *node_ff156c70_T@°° + { + var N3: ShStruct3[Ref, Ref, Ref] + + // N3 = *t_V0_CN0.rootAdelete(value_V0_CN1, none[int°], none[int°]) + N3 := delete_ff156c70_PMnode((ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, (optNone(): Option[Int]), (optNone(): Option[Int])) + + // *t_V0_CN0.rootA = N3 + (ShStructget0of1(t_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N3 + } + } + + // fold acc(t_V0_CN0.tree()) + fold acc(tree_ff156c70_PMTree(t_V0_CN0), write) + label returnLabel + } +} + +method delete_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], value_V0: Int, + lowerBound_V0: Option[Int], upperBound_V0: Option[Int]) + returns (res_V0: ShStruct3[Ref, Ref, Ref]) + requires !(lowerBound_V0 == (optNone(): Option[Int])) ==> + (optGet(lowerBound_V0): Int) < value_V0 + requires !(upperBound_V0 == (optNone(): Option[Int])) ==> + (optGet(upperBound_V0): Int) > value_V0 + requires acc(tree_ff156c70_PMnode(n_V0), write) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures !(res_V0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_ff156c70_PMnode(res_V0), write) && + sorted_ff156c70_PMnode(res_V0, lowerBound_V0, upperBound_V0) + ensures !(res_V0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ==> + !((value_V0 in + sortedValues_ff156c70_PMnode(res_V0, lowerBound_V0, upperBound_V0))) +{ + inhale res_V0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // decl n_V0_CN0: *node_ff156c70_T@°°, value_V0_CN1: int°°, lowerBound_V0_CN2: option[int°]°°, upperBound_V0_CN3: option[int°]°°, res_V0_CN4: *node_ff156c70_T@°° + { + var res_V0_CN4: ShStruct3[Ref, Ref, Ref] + var upperBound_V0_CN3: Option[Int] + var lowerBound_V0_CN2: Option[Int] + var value_V0_CN1: Int + var n_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init n_V0_CN0 + inhale n_V0_CN0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // init lowerBound_V0_CN2 + inhale lowerBound_V0_CN2 == (optNone(): Option[Int]) + + // init upperBound_V0_CN3 + inhale upperBound_V0_CN3 == (optNone(): Option[Int]) + + // init res_V0_CN4 + inhale res_V0_CN4 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // n_V0_CN0 = n_V0 + n_V0_CN0 := n_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // lowerBound_V0_CN2 = lowerBound_V0 + lowerBound_V0_CN2 := lowerBound_V0 + + // upperBound_V0_CN3 = upperBound_V0 + upperBound_V0_CN3 := upperBound_V0 + + // decl + + // unfold acc(n_V0_CN0.tree()) + unfold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // if(value_V0_CN1 < *n_V0_CN0.valueA && *n_V0_CN0.leftA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (value_V0_CN1 < (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ && + !((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N11: *node_ff156c70_T@°° + { + var N11: ShStruct3[Ref, Ref, Ref] + + // N11 = *n_V0_CN0.leftAdelete(value_V0_CN1, lowerBound_V0_CN2, some(*n_V0_CN0.valueA)) + N11 := delete_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, lowerBound_V0_CN2, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int])) + + // *n_V0_CN0.leftA = N11 + (ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N11 + + // fold acc(n_V0_CN0.tree()) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // res_V0_CN4 = n_V0_CN0 + res_V0_CN4 := n_V0_CN0 + } + } else { + + // if(value_V0_CN1 > *n_V0_CN0.valueA && *n_V0_CN0.rightA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (value_V0_CN1 > (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ && + !((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N10: *node_ff156c70_T@°° + { + var N10: ShStruct3[Ref, Ref, Ref] + + // N10 = *n_V0_CN0.rightAdelete(value_V0_CN1, some(*n_V0_CN0.valueA), upperBound_V0_CN3) + N10 := delete_ff156c70_PMnode((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + value_V0_CN1, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + upperBound_V0_CN3) + + // *n_V0_CN0.rightA = N10 + (ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N10 + + // fold acc(n_V0_CN0.tree()) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // res_V0_CN4 = n_V0_CN0 + res_V0_CN4 := n_V0_CN0 + } + } else { + + // if(value_V0_CN1 == *n_V0_CN0.valueA) {...} else {...} + if (value_V0_CN1 == + (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$) { + + // decl + + // if(*n_V0_CN0.leftA != (nil:*node_ff156c70_T@°) && *n_V0_CN0.rightA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) && + !((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl minValue_V1: int°°, N8: *node_ff156c70_T@°°, N9: int°° + { + var N9: Int + var N8: ShStruct3[Ref, Ref, Ref] + var minValue_V1: Int + + // init minValue_V1 + inhale minValue_V1 == 0 + + // minValue_V1 = dflt[int°] + minValue_V1 := 0 + + // N8, N9 = *n_V0_CN0.rightAdeleteMinimum(some(*n_V0_CN0.valueA), upperBound_V0_CN3) + N8, N9 := deleteMinimum_ff156c70_PMnode((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + upperBound_V0_CN3) + + // *n_V0_CN0.rightA = N8 + (ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N8 + + // minValue_V1 = N9 + minValue_V1 := N9 + + // if(*n_V0_CN0.leftA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl + + // *n_V0_CN0.leftAconvert(lowerBound_V0_CN2, some(*n_V0_CN0.valueA), lowerBound_V0_CN2, some(minValue_V1)) + convert_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + lowerBound_V0_CN2, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + lowerBound_V0_CN2, (optSome(minValue_V1): Option[Int])) + } + + // *n_V0_CN0.valueA = minValue_V1 + (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ := minValue_V1 + + // fold acc(n_V0_CN0.tree()) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // res_V0_CN4 = n_V0_CN0 + res_V0_CN4 := n_V0_CN0 + } + } else { + + // if(*n_V0_CN0.leftA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl + + // res_V0_CN4 = *n_V0_CN0.leftA + res_V0_CN4 := (ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ + + // res_V0_CN4convert(lowerBound_V0_CN2, some(*n_V0_CN0.valueA), lowerBound_V0_CN2, upperBound_V0_CN3) + convert_ff156c70_PMnode(res_V0_CN4, lowerBound_V0_CN2, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + lowerBound_V0_CN2, upperBound_V0_CN3) + } else { + + // if(*n_V0_CN0.rightA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl + + // res_V0_CN4 = *n_V0_CN0.rightA + res_V0_CN4 := (ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ + + // res_V0_CN4convert(some(*n_V0_CN0.valueA), upperBound_V0_CN3, lowerBound_V0_CN2, upperBound_V0_CN3) + convert_ff156c70_PMnode(res_V0_CN4, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + upperBound_V0_CN3, lowerBound_V0_CN2, upperBound_V0_CN3) + } else { + + // decl + + // res_V0_CN4 = (nil:*node_ff156c70_T@°) + res_V0_CN4 := shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + } + } + } + } + } + } + + // res_V0_CN4 = res_V0_CN4 + res_V0_CN4 := res_V0_CN4 + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN4 + res_V0 := res_V0_CN4 + } +} + +method deleteMinimum_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], lowerBound_V0: Option[Int], + upperBound_V0: Option[Int]) + returns (res_V0: ShStruct3[Ref, Ref, Ref], minimum_V0: Int) + requires acc(tree_ff156c70_PMnode(n_V0), write) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures !(res_V0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_ff156c70_PMnode(res_V0), write) && + sorted_ff156c70_PMnode(res_V0, (optSome(minimum_V0): Option[Int]), upperBound_V0) + ensures !(res_V0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) ==> + !((minimum_V0 in + sortedValues_ff156c70_PMnode(res_V0, (optSome(minimum_V0): Option[Int]), + upperBound_V0))) + ensures !(lowerBound_V0 == (optNone(): Option[Int])) ==> + (optGet(lowerBound_V0): Int) < minimum_V0 + ensures !(upperBound_V0 == (optNone(): Option[Int])) ==> + (optGet(upperBound_V0): Int) > minimum_V0 +{ + inhale res_V0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + inhale minimum_V0 == 0 + + // decl n_V0_CN0: *node_ff156c70_T@°°, lowerBound_V0_CN1: option[int°]°°, upperBound_V0_CN2: option[int°]°°, res_V0_CN3: *node_ff156c70_T@°°, minimum_V0_CN4: int°° + { + var minimum_V0_CN4: Int + var res_V0_CN3: ShStruct3[Ref, Ref, Ref] + var upperBound_V0_CN2: Option[Int] + var lowerBound_V0_CN1: Option[Int] + var n_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init n_V0_CN0 + inhale n_V0_CN0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init lowerBound_V0_CN1 + inhale lowerBound_V0_CN1 == (optNone(): Option[Int]) + + // init upperBound_V0_CN2 + inhale upperBound_V0_CN2 == (optNone(): Option[Int]) + + // init res_V0_CN3 + inhale res_V0_CN3 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init minimum_V0_CN4 + inhale minimum_V0_CN4 == 0 + + // n_V0_CN0 = n_V0 + n_V0_CN0 := n_V0 + + // lowerBound_V0_CN1 = lowerBound_V0 + lowerBound_V0_CN1 := lowerBound_V0 + + // upperBound_V0_CN2 = upperBound_V0 + upperBound_V0_CN2 := upperBound_V0 + + // decl + + // unfold acc(n_V0_CN0.tree()) + unfold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // if(*n_V0_CN0.leftA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N12: *node_ff156c70_T@°°, N13: int°° + { + var N13: Int + var N12: ShStruct3[Ref, Ref, Ref] + + // N12, N13 = *n_V0_CN0.leftAdeleteMinimum(lowerBound_V0_CN1, some(*n_V0_CN0.valueA)) + N12, N13 := deleteMinimum_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + lowerBound_V0_CN1, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int])) + + // *n_V0_CN0.leftA = N12 + (ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ := N12 + + // minimum_V0_CN4 = N13 + minimum_V0_CN4 := N13 + + // fold acc(n_V0_CN0.tree()) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // res_V0_CN3 = n_V0_CN0 + res_V0_CN3 := n_V0_CN0 + } + } else { + + // if(*n_V0_CN0.rightA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N10: *node_ff156c70_T@°°, N11: int°° + { + var N11: Int + var N10: ShStruct3[Ref, Ref, Ref] + + // N10 = *n_V0_CN0.rightA + N10 := (ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ + + // N11 = *n_V0_CN0.valueA + N11 := (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ + + // res_V0_CN3 = N10 + res_V0_CN3 := N10 + + // minimum_V0_CN4 = N11 + minimum_V0_CN4 := N11 + } + } else { + + // decl N8: *node_ff156c70_T@°°, N9: int°° + { + var N9: Int + var N8: ShStruct3[Ref, Ref, Ref] + + // N8 = (nil:*node_ff156c70_T@°) + N8 := shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // N9 = *n_V0_CN0.valueA + N9 := (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ + + // res_V0_CN3 = N8 + res_V0_CN3 := N8 + + // minimum_V0_CN4 = N9 + minimum_V0_CN4 := N9 + } + } + } + + // res_V0_CN3 = res_V0_CN3 + res_V0_CN3 := res_V0_CN3 + + // minimum_V0_CN4 = minimum_V0_CN4 + minimum_V0_CN4 := minimum_V0_CN4 + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN3 + res_V0 := res_V0_CN3 + + // minimum_V0 = minimum_V0_CN4 + minimum_V0 := minimum_V0_CN4 + } +} + +method getMinimum_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], lowerBound_V0: Option[Int], + upperBound_V0: Option[Int]) + returns (res_V0: Int) + requires acc(tree_ff156c70_PMnode(n_V0), write) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures acc(tree_ff156c70_PMnode(n_V0), write) && + sorted_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0) + ensures !(lowerBound_V0 == (optNone(): Option[Int])) ==> + res_V0 > (optGet(lowerBound_V0): Int) + ensures !(upperBound_V0 == (optNone(): Option[Int])) ==> + res_V0 < (optGet(upperBound_V0): Int) + ensures res_V0 == + sortedValues_ff156c70_PMnode(n_V0, lowerBound_V0, upperBound_V0)[0] +{ + inhale res_V0 == 0 + + // decl n_V0_CN0: *node_ff156c70_T@°°, lowerBound_V0_CN1: option[int°]°°, upperBound_V0_CN2: option[int°]°°, res_V0_CN3: int°° + { + var res_V0_CN3: Int + var upperBound_V0_CN2: Option[Int] + var lowerBound_V0_CN1: Option[Int] + var n_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init n_V0_CN0 + inhale n_V0_CN0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init lowerBound_V0_CN1 + inhale lowerBound_V0_CN1 == (optNone(): Option[Int]) + + // init upperBound_V0_CN2 + inhale upperBound_V0_CN2 == (optNone(): Option[Int]) + + // init res_V0_CN3 + inhale res_V0_CN3 == 0 + + // n_V0_CN0 = n_V0 + n_V0_CN0 := n_V0 + + // lowerBound_V0_CN1 = lowerBound_V0 + lowerBound_V0_CN1 := lowerBound_V0 + + // upperBound_V0_CN2 = upperBound_V0 + upperBound_V0_CN2 := upperBound_V0 + + // decl + + // unfold acc(n_V0_CN0.tree()) + unfold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // if(*n_V0_CN0.leftA == (nil:*node_ff156c70_T@°)) {...} else {...} + if ((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$()) { + + // decl + + // res_V0_CN3 = *n_V0_CN0.valueA + res_V0_CN3 := (ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$ + } else { + + // decl N7: int°° + { + var N7: Int + + // N7 = *n_V0_CN0.leftAgetMinimum(lowerBound_V0_CN1, some(*n_V0_CN0.valueA)) + N7 := getMinimum_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + lowerBound_V0_CN1, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int])) + + // res_V0_CN3 = N7 + res_V0_CN3 := N7 + } + } + + // fold acc(n_V0_CN0.tree()) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // res_V0_CN3 = res_V0_CN3 + res_V0_CN3 := res_V0_CN3 + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN3 + res_V0 := res_V0_CN3 + } +} + +method main_ff156c70_F() +{ + + // decl + { + + + + // decl value0_V0: int°°, value1_V0: int°°, value2_V0: int°°, N0: *Tree_ff156c70_T@°°, t_V0: *Tree_ff156c70_T@°° + { + var t_V0: ShStruct1[Ref] + var N0: ShStruct1[Ref] + var value2_V0: Int + var value1_V0: Int + var value0_V0: Int + + // init value0_V0 + inhale value0_V0 == 0 + + // value0_V0 = 2 + value0_V0 := 2 + + // init value1_V0 + inhale value1_V0 == 0 + + // value1_V0 = 5 + value1_V0 := 5 + + // init value2_V0 + inhale value2_V0 == 0 + + // value2_V0 = 42 + value2_V0 := 42 + + // N0 = client0_ff156c70_F(value0_V0) + N0 := client0_ff156c70_F(value0_V0) + + // init t_V0 + inhale t_V0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // t_V0 = N0 + t_V0 := N0 + + // client1_ff156c70_F(t_V0, value1_V0) + client1_ff156c70_F(t_V0, value1_V0) + + // client2_ff156c70_F(t_V0, value2_V0) + client2_ff156c70_F(t_V0, value2_V0) + } + label returnLabel + } +} + +method client0_ff156c70_F(value_V0: Int) returns (t_V0: ShStruct1[Ref]) + ensures acc(tree_ff156c70_PMTree(t_V0), write) +{ + inhale t_V0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // decl value_V0_CN0: int°°, t_V0_CN1: *Tree_ff156c70_T@°° + { + var t_V0_CN1: ShStruct1[Ref] + var value_V0_CN0: Int + + + + // init value_V0_CN0 + inhale value_V0_CN0 == 0 + + // init t_V0_CN1 + inhale t_V0_CN1 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // value_V0_CN0 = value_V0 + value_V0_CN0 := value_V0 + + // decl N2: *Tree_ff156c70_T@°° + { + var N2: ShStruct1[Ref] + + // N2 = NewTree_ff156c70_F() + N2 := NewTree_ff156c70_F() + + // t_V0_CN1 = N2 + t_V0_CN1 := N2 + + // assert !t_V0_CN1.pureContains(value_V0_CN0, 2) + assert !pureContains_ff156c70_PMTree(t_V0_CN1, value_V0_CN0, 2) + + // t_V0_CN1Insert(value_V0_CN0) + Insert_ff156c70_PMTree(t_V0_CN1, value_V0_CN0) + + // assert t_V0_CN1.sortedValues() == seq[int°] { 0:value_V0_CN0 } + assert sortedValues_ff156c70_PMTree(t_V0_CN1) == Seq(value_V0_CN0) + + // t_V0_CN1Delete(value_V0_CN0) + Delete_ff156c70_PMTree(t_V0_CN1, value_V0_CN0) + + // assert !t_V0_CN1.pureContains(value_V0_CN0, 2) + assert !pureContains_ff156c70_PMTree(t_V0_CN1, value_V0_CN0, 2) + + // t_V0_CN1 = t_V0_CN1 + t_V0_CN1 := t_V0_CN1 + + // return + goto returnLabel + } + label returnLabel + + // t_V0 = t_V0_CN1 + t_V0 := t_V0_CN1 + } +} + +method client1_ff156c70_F(t_V0: ShStruct1[Ref], value_V0: Int) + requires acc(tree_ff156c70_PMTree(t_V0), write) + ensures acc(tree_ff156c70_PMTree(t_V0), write) +{ + + // decl t_V0_CN0: *Tree_ff156c70_T@°°, value_V0_CN1: int°° + { + var value_V0_CN1: Int + var t_V0_CN0: ShStruct1[Ref] + + + + // init t_V0_CN0 + inhale t_V0_CN0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // t_V0_CN0 = t_V0 + t_V0_CN0 := t_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // decl oldValues_V1: seq[int°]°°, N3: bool°°, newValues_V1: seq[int°]°° + { + var newValues_V1: Seq[Int] + var N3: Bool + var oldValues_V1: Seq[Int] + + // init oldValues_V1 + inhale oldValues_V1 == Seq[Int]() + + // oldValues_V1 = t_V0_CN0.sortedValues() + oldValues_V1 := sortedValues_ff156c70_PMTree(t_V0_CN0) + + // N3 = t_V0_CN0Contains(value_V0_CN1, 2) + N3 := Contains_ff156c70_PMTree(t_V0_CN0, value_V0_CN1, 2) + + // init newValues_V1 + inhale newValues_V1 == Seq[Int]() + + // newValues_V1 = t_V0_CN0.sortedValues() + newValues_V1 := sortedValues_ff156c70_PMTree(t_V0_CN0) + + // assert oldValues_V1 == newValues_V1 + assert oldValues_V1 == newValues_V1 + } + label returnLabel + } +} + +method client2_ff156c70_F(t_V0: ShStruct1[Ref], value_V0: Int) + requires acc(tree_ff156c70_PMTree(t_V0), write) + ensures acc(tree_ff156c70_PMTree(t_V0), write) +{ + + // decl t_V0_CN0: *Tree_ff156c70_T@°°, value_V0_CN1: int°° + { + var value_V0_CN1: Int + var t_V0_CN0: ShStruct1[Ref] + + + + // init t_V0_CN0 + inhale t_V0_CN0 == + shStructDefault_$rootA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init value_V0_CN1 + inhale value_V0_CN1 == 0 + + // t_V0_CN0 = t_V0 + t_V0_CN0 := t_V0 + + // value_V0_CN1 = value_V0 + value_V0_CN1 := value_V0 + + // decl oldValues_V1: seq[int°]°°, newValues_V1: seq[int°]°° + { + var newValues_V1: Seq[Int] + var oldValues_V1: Seq[Int] + + // init oldValues_V1 + inhale oldValues_V1 == Seq[Int]() + + // oldValues_V1 = t_V0_CN0.sortedValues() + oldValues_V1 := sortedValues_ff156c70_PMTree(t_V0_CN0) + + // t_V0_CN0Insert(value_V0_CN1) + Insert_ff156c70_PMTree(t_V0_CN0, value_V0_CN1) + + // init newValues_V1 + inhale newValues_V1 == Seq[Int]() + + // newValues_V1 = t_V0_CN0.sortedValues() + newValues_V1 := sortedValues_ff156c70_PMTree(t_V0_CN0) + + // assert t_V0_CN0.pureContains(value_V0_CN1, 2) + assert pureContains_ff156c70_PMTree(t_V0_CN0, value_V0_CN1, 2) + + // if(value_V0_CN1 in oldValues_V1) {...} else {...} + if ((value_V0_CN1 in oldValues_V1)) { + + // decl + + // assert oldValues_V1 == newValues_V1 + assert oldValues_V1 == newValues_V1 + } else { + + // decl + + } + } + label returnLabel + } +} + +method convert_ff156c70_PMnode(n_V0: ShStruct3[Ref, Ref, Ref], oldLowerBound_V0: Option[Int], + oldUpperBound_V0: Option[Int], newLowerBound_V0: Option[Int], newUpperBound_V0: Option[Int]) + requires acc(tree_ff156c70_PMnode(n_V0), write) + requires sorted_ff156c70_PMnode(n_V0, oldLowerBound_V0, oldUpperBound_V0) + requires oldLowerBound_V0 == (optNone(): Option[Int]) ==> + newLowerBound_V0 == (optNone(): Option[Int]) + requires oldUpperBound_V0 == (optNone(): Option[Int]) ==> + newUpperBound_V0 == (optNone(): Option[Int]) + requires !(newLowerBound_V0 == (optNone(): Option[Int])) ==> + !(oldLowerBound_V0 == (optNone(): Option[Int])) && + (optGet(oldLowerBound_V0): Int) >= (optGet(newLowerBound_V0): Int) + requires !(newUpperBound_V0 == (optNone(): Option[Int])) ==> + !(oldUpperBound_V0 == (optNone(): Option[Int])) && + (optGet(oldUpperBound_V0): Int) <= (optGet(newUpperBound_V0): Int) + ensures acc(tree_ff156c70_PMnode(n_V0), write) + ensures sorted_ff156c70_PMnode(n_V0, oldLowerBound_V0, oldUpperBound_V0) && + sorted_ff156c70_PMnode(n_V0, newLowerBound_V0, newUpperBound_V0) + ensures sortedValues_ff156c70_PMnode(n_V0, oldLowerBound_V0, oldUpperBound_V0) == + sortedValues_ff156c70_PMnode(n_V0, newLowerBound_V0, newUpperBound_V0) +{ + + // decl n_V0_CN0: *node_ff156c70_T@°°, oldLowerBound_V0_CN1: option[int°]°°, oldUpperBound_V0_CN2: option[int°]°°, newLowerBound_V0_CN3: option[int°]°°, newUpperBound_V0_CN4: option[int°]°° + { + var newUpperBound_V0_CN4: Option[Int] + var newLowerBound_V0_CN3: Option[Int] + var oldUpperBound_V0_CN2: Option[Int] + var oldLowerBound_V0_CN1: Option[Int] + var n_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init n_V0_CN0 + inhale n_V0_CN0 == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$() + + // init oldLowerBound_V0_CN1 + inhale oldLowerBound_V0_CN1 == (optNone(): Option[Int]) + + // init oldUpperBound_V0_CN2 + inhale oldUpperBound_V0_CN2 == (optNone(): Option[Int]) + + // init newLowerBound_V0_CN3 + inhale newLowerBound_V0_CN3 == (optNone(): Option[Int]) + + // init newUpperBound_V0_CN4 + inhale newUpperBound_V0_CN4 == (optNone(): Option[Int]) + + // n_V0_CN0 = n_V0 + n_V0_CN0 := n_V0 + + // oldLowerBound_V0_CN1 = oldLowerBound_V0 + oldLowerBound_V0_CN1 := oldLowerBound_V0 + + // oldUpperBound_V0_CN2 = oldUpperBound_V0 + oldUpperBound_V0_CN2 := oldUpperBound_V0 + + // newLowerBound_V0_CN3 = newLowerBound_V0 + newLowerBound_V0_CN3 := newLowerBound_V0 + + // newUpperBound_V0_CN4 = newUpperBound_V0 + newUpperBound_V0_CN4 := newUpperBound_V0 + + // decl + + // unfold acc(n_V0_CN0.tree()) + unfold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + + // if(*n_V0_CN0.leftA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl + + // *n_V0_CN0.leftAconvert(oldLowerBound_V0_CN1, some(*n_V0_CN0.valueA), newLowerBound_V0_CN3, some(*n_V0_CN0.valueA)) + convert_ff156c70_PMnode((ShStructget1of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + oldLowerBound_V0_CN1, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + newLowerBound_V0_CN3, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int])) + } + + // if(*n_V0_CN0.rightA != (nil:*node_ff156c70_T@°)) {...} else {...} + if (!((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$valueA_Intint$$$_S_$$$_leftA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$_rightA_PointerDefinednode_ff156c70_T$$$_S_$$$$$$_S_$$$$())) { + + // decl + + // *n_V0_CN0.rightAconvert(some(*n_V0_CN0.valueA), oldUpperBound_V0_CN2, some(*n_V0_CN0.valueA), newUpperBound_V0_CN4) + convert_ff156c70_PMnode((ShStructget2of3(n_V0_CN0): Ref).PointerDefinednode_ff156c70_T$$$_S_$$$$$$$_E_$$$, + (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + oldUpperBound_V0_CN2, (optSome((ShStructget0of3(n_V0_CN0): Ref).Intint$$$$_E_$$$): Option[Int]), + newUpperBound_V0_CN4) + } + + // fold acc(n_V0_CN0.tree()) + fold acc(tree_ff156c70_PMnode(n_V0_CN0), write) + label returnLabel + } +} + +method main_ff156c70_$CHECKMAIN() +{ + + // decl + { + + + label returnLabel + } +} + +method $IMPORTS_ff156c70_ff156c70() +{ + + // decl + { + + + label returnLabel + } +} + +method $IMPORTS_ff156c70_bffb141e() +{ + + // decl + { + + + label returnLabel + } +} + +// decreases +method $INIT_ff156c70_18fc7317() +{ + + // decl + { + + + label returnLabel + } +} + +method panic_bffb141e_F(v_V0: Tuple2[Ref, Types]) + requires false + + +// decreases +method Error_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]) + returns (P0_PO0: Int) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + ensures acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + + +// decreases +method Duplicate_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + ensures acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + ensures IsDuplicableMem_bffb141e_SY$c04328b0_bffb141e_(thisItf) ==> + acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + + +// decreases +method IsDuplicableMem_bffb141e_SY$c04328b0_bffb141e__pres_termination_proof(thisItf: Tuple2[Ref, Types]) +{ + var $condInEx: Bool + if (!(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) { + inhale acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), wildcard) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/gobra/binary_tree.gobra.vpr b/src/test/resources/biabduction/frontends/gobra/binary_tree.gobra.vpr new file mode 100644 index 00000000..183f95a9 --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/binary_tree.gobra.vpr @@ -0,0 +1,733 @@ +domain String { + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit(): Int + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit()) == 0 + } +} + +domain Types { + + function empty_interface_Types(): Types + + unique function empty_interface_Types_tag(): Int + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + function nil_Types(): Types + + unique function nil_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + function tag_Types(t: Types): Int + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain Tuple3[T0, T1, T2] { + + function tuple3(t0: T0, t1: T1, t2: T2): Tuple3[T0, T1, T2] + + function get0of3(p: Tuple3[T0, T1, T2]): T0 + + function get1of3(p: Tuple3[T0, T1, T2]): T1 + + function get2of3(p: Tuple3[T0, T1, T2]): T2 + + axiom getter_over_tuple3 { + (forall t0: T0, t1: T1, t2: T2 :: + { (tuple3(t0, t1, t2): Tuple3[T0, T1, T2]) } + (get0of3((tuple3(t0, t1, t2): Tuple3[T0, T1, T2])): T0) == t0 && + (get1of3((tuple3(t0, t1, t2): Tuple3[T0, T1, T2])): T1) == t1 && + (get2of3((tuple3(t0, t1, t2): Tuple3[T0, T1, T2])): T2) == t2) + } + + axiom tuple3_over_getter { + (forall p: Tuple3[T0, T1, T2] :: + { (get0of3(p): T0) } + { (get1of3(p): T1) } + { (get2of3(p): T2) } + (tuple3((get0of3(p): T0), (get1of3(p): T1), (get2of3(p): T2)): Tuple3[T0, T1, T2]) == + p) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain WellFoundedOrder[T] { + + function decreasing(arg1: T, arg2: T): Bool + + function bounded(arg1: T): Bool +} + +field PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$: ShStruct3[Ref, Ref, Ref] + +field Intint$$$$_E_$$$: Int + +// decreases _ +function shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$(): ShStruct3[Ref, Ref, Ref] + ensures (ShStructget0of3(result): Ref) == null && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Ref) == null + + +function Contains_d081ef35_PMTree(self_V0: ShStruct3[Ref, Ref, Ref], v_V0: Int): Bool + requires !(self_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_d081ef35_F(self_V0), write) +{ + !(self_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) && + (unfolding acc(tree_d081ef35_F(self_V0), write) in + (ShStructget1of3(self_V0): Ref).Intint$$$$_E_$$$ == v_V0 || + (Contains_d081ef35_PMTree((ShStructget0of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, + v_V0) || + Contains_d081ef35_PMTree((ShStructget2of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, + v_V0))) +} + +// decreases +function IsDuplicableMem_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), wildcard) + + +predicate tree_d081ef35_F(self_V0: ShStruct3[Ref, Ref, Ref]) { + acc((ShStructget0of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of3(self_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget2of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget0of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_d081ef35_F((ShStructget0of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$), write)) && + (!((ShStructget2of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_d081ef35_F((ShStructget2of3(self_V0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$), write)) +} + +predicate ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]) + +method Insert_d081ef35_PMTree(self_V0: ShStruct3[Ref, Ref, Ref], v_V0: Int) + returns (res_V0: ShStruct3[Ref, Ref, Ref]) + requires !(self_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_d081ef35_F(self_V0), write) + ensures acc(tree_d081ef35_F(res_V0), write) && + Contains_d081ef35_PMTree(res_V0, v_V0) +{ + inhale res_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // decl self_V0_CN0: *Tree_d081ef35_T@°°, v_V0_CN1: int°°, res_V0_CN2: *Tree_d081ef35_T@°° + { + var res_V0_CN2: ShStruct3[Ref, Ref, Ref] + var v_V0_CN1: Int + var self_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init self_V0_CN0 + inhale self_V0_CN0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // init v_V0_CN1 + inhale v_V0_CN1 == 0 + + // init res_V0_CN2 + inhale res_V0_CN2 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // self_V0_CN0 = self_V0 + self_V0_CN0 := self_V0 + + // v_V0_CN1 = v_V0 + v_V0_CN1 := v_V0 + + // decl + + // if(self_V0_CN0 == (nil:*Tree_d081ef35_T@°)) {...} else {...} + if (self_V0_CN0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) { + + // decl N6: *Tree_d081ef35_T@°° + { + var N6: ShStruct3[Ref, Ref, Ref] + + // N6 = new(Tree_d081ef35_T°{dflt[*Tree_d081ef35_T@°], v_V0_CN1, dflt[*Tree_d081ef35_T@°]}) + { + var fn$$0: ShStruct3[Ref, Ref, Ref] + inhale (let fn$$1 == + (fn$$0) in + acc((ShStructget0of3(fn$$1): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of3(fn$$1): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget2of3(fn$$1): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, write)) && + (let fn$$2 == + (fn$$0) in + (let fn$$3 == + ((tuple3(shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$(), + v_V0_CN1, shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()): Tuple3[ShStruct3[Ref, Ref, Ref], Int, ShStruct3[Ref, Ref, Ref]])) in + (ShStructget0of3(fn$$2): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ == + (get0of3(fn$$3): ShStruct3[Ref, Ref, Ref]) && + (ShStructget1of3(fn$$2): Ref).Intint$$$$_E_$$$ == + (get1of3(fn$$3): Int) && + (ShStructget2of3(fn$$2): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ == + (get2of3(fn$$3): ShStruct3[Ref, Ref, Ref]))) + N6 := fn$$0 + } + + // res_V0_CN2 = N6 + res_V0_CN2 := N6 + } + } else { + + // decl + + // unfold acc(tree_d081ef35_F(self_V0_CN0)) + unfold acc(tree_d081ef35_F(self_V0_CN0), write) + + // if(*self_V0_CN0.ValueA + v_V0_CN1 % 2 == 0) {...} else {...} + if (((ShStructget1of3(self_V0_CN0): Ref).Intint$$$$_E_$$$ + v_V0_CN1) % + 2 == + 0) { + + // decl N5: *Tree_d081ef35_T@°° + { + var N5: ShStruct3[Ref, Ref, Ref] + + // N5 = *self_V0_CN0.LeftAInsert(v_V0_CN1) + N5 := Insert_d081ef35_PMTree((ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, + v_V0_CN1) + + // *self_V0_CN0.LeftA = N5 + (ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ := N5 + } + } else { + + // decl N4: *Tree_d081ef35_T@°° + { + var N4: ShStruct3[Ref, Ref, Ref] + + // N4 = *self_V0_CN0.RightAInsert(v_V0_CN1) + N4 := Insert_d081ef35_PMTree((ShStructget2of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, + v_V0_CN1) + + // *self_V0_CN0.RightA = N4 + (ShStructget2of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ := N4 + } + } + + // res_V0_CN2 = self_V0_CN0 + res_V0_CN2 := self_V0_CN0 + } + + // fold acc(tree_d081ef35_F(res_V0_CN2)) + fold acc(tree_d081ef35_F(res_V0_CN2), write) + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN2 + res_V0 := res_V0_CN2 + } +} + +method DeleteAll_d081ef35_PMTree(self_V0: ShStruct3[Ref, Ref, Ref], v_V0: Int) + returns (res_V0: ShStruct3[Ref, Ref, Ref]) + requires !(self_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_d081ef35_F(self_V0), write) + ensures (!(res_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_d081ef35_F(res_V0), write)) && + !Contains_d081ef35_PMTree(res_V0, v_V0) +{ + inhale res_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // decl self_V0_CN0: *Tree_d081ef35_T@°°, v_V0_CN1: int°°, res_V0_CN2: *Tree_d081ef35_T@°° + { + var res_V0_CN2: ShStruct3[Ref, Ref, Ref] + var v_V0_CN1: Int + var self_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init self_V0_CN0 + inhale self_V0_CN0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // init v_V0_CN1 + inhale v_V0_CN1 == 0 + + // init res_V0_CN2 + inhale res_V0_CN2 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // self_V0_CN0 = self_V0 + self_V0_CN0 := self_V0 + + // v_V0_CN1 = v_V0 + v_V0_CN1 := v_V0 + + // decl + + // if(self_V0_CN0 == (nil:*Tree_d081ef35_T@°)) {...} else {...} + if (self_V0_CN0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) { + + // decl + + // res_V0_CN2 = (nil:*Tree_d081ef35_T@°) + res_V0_CN2 := shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + } else { + + // decl N4: *Tree_d081ef35_T@°°, newLeft_V1: *Tree_d081ef35_T@°°, N5: *Tree_d081ef35_T@°°, newRight_V1: *Tree_d081ef35_T@°° + { + var newRight_V1: ShStruct3[Ref, Ref, Ref] + var N5: ShStruct3[Ref, Ref, Ref] + var newLeft_V1: ShStruct3[Ref, Ref, Ref] + var N4: ShStruct3[Ref, Ref, Ref] + + // unfold acc(tree_d081ef35_F(self_V0_CN0)) + unfold acc(tree_d081ef35_F(self_V0_CN0), write) + + // N4 = *self_V0_CN0.LeftADeleteAll(v_V0_CN1) + N4 := DeleteAll_d081ef35_PMTree((ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, + v_V0_CN1) + + // init newLeft_V1 + inhale newLeft_V1 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // newLeft_V1 = N4 + newLeft_V1 := N4 + + // N5 = *self_V0_CN0.RightADeleteAll(v_V0_CN1) + N5 := DeleteAll_d081ef35_PMTree((ShStructget2of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, + v_V0_CN1) + + // init newRight_V1 + inhale newRight_V1 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // newRight_V1 = N5 + newRight_V1 := N5 + + // if(*self_V0_CN0.ValueA == v_V0_CN1) {...} else {...} + if ((ShStructget1of3(self_V0_CN0): Ref).Intint$$$$_E_$$$ == + v_V0_CN1) { + + // decl + + // if(newLeft_V1 == (nil:*Tree_d081ef35_T@°)) {...} else {...} + if (newLeft_V1 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) { + + // decl + + // res_V0_CN2 = newRight_V1 + res_V0_CN2 := newRight_V1 + } else { + + // if(newRight_V1 == (nil:*Tree_d081ef35_T@°)) {...} else {...} + if (newRight_V1 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) { + + // decl + + // res_V0_CN2 = newLeft_V1 + res_V0_CN2 := newLeft_V1 + } else { + + // decl leftMost_V2: int°°, N6: *Tree_d081ef35_T@°°, N7: int°° + { + var N7: Int + var N6: ShStruct3[Ref, Ref, Ref] + var leftMost_V2: Int + + // init leftMost_V2 + inhale leftMost_V2 == 0 + + // leftMost_V2 = dflt[int°] + leftMost_V2 := 0 + + // N6, N7 = newRight_V1deleteLeftMost(v_V0_CN1) + N6, N7 := deleteLeftMost_d081ef35_PMTree(newRight_V1, v_V0_CN1) + + // *self_V0_CN0.RightA = N6 + (ShStructget2of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ := N6 + + // leftMost_V2 = N7 + leftMost_V2 := N7 + + // *self_V0_CN0.ValueA = leftMost_V2 + (ShStructget1of3(self_V0_CN0): Ref).Intint$$$$_E_$$$ := leftMost_V2 + + // *self_V0_CN0.LeftA = newLeft_V1 + (ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ := newLeft_V1 + + // fold acc(tree_d081ef35_F(self_V0_CN0)) + fold acc(tree_d081ef35_F(self_V0_CN0), write) + + // res_V0_CN2 = self_V0_CN0 + res_V0_CN2 := self_V0_CN0 + } + } + } + } else { + + // decl + + // *self_V0_CN0.LeftA = newLeft_V1 + (ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ := newLeft_V1 + + // *self_V0_CN0.RightA = newRight_V1 + (ShStructget2of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ := newRight_V1 + + // fold acc(tree_d081ef35_F(self_V0_CN0)) + fold acc(tree_d081ef35_F(self_V0_CN0), write) + + // res_V0_CN2 = self_V0_CN0 + res_V0_CN2 := self_V0_CN0 + } + } + } + + // res_V0_CN2 = res_V0_CN2 + res_V0_CN2 := res_V0_CN2 + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN2 + res_V0 := res_V0_CN2 + } +} + +method deleteLeftMost_d081ef35_PMTree(self_V0: ShStruct3[Ref, Ref, Ref], v_V0: Int) + returns (res_V0: ShStruct3[Ref, Ref, Ref], leftMost_V0: Int) + requires acc(tree_d081ef35_F(self_V0), write) && + !Contains_d081ef35_PMTree(self_V0, v_V0) + ensures (!(res_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$()) ==> + acc(tree_d081ef35_F(res_V0), write)) && + !Contains_d081ef35_PMTree(res_V0, v_V0) && + !(v_V0 == leftMost_V0) +{ + inhale res_V0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + inhale leftMost_V0 == 0 + + // decl self_V0_CN0: *Tree_d081ef35_T@°°, v_V0_CN1: int°°, res_V0_CN2: *Tree_d081ef35_T@°°, leftMost_V0_CN3: int°° + { + var leftMost_V0_CN3: Int + var res_V0_CN2: ShStruct3[Ref, Ref, Ref] + var v_V0_CN1: Int + var self_V0_CN0: ShStruct3[Ref, Ref, Ref] + + + + // init self_V0_CN0 + inhale self_V0_CN0 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // init v_V0_CN1 + inhale v_V0_CN1 == 0 + + // init res_V0_CN2 + inhale res_V0_CN2 == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // init leftMost_V0_CN3 + inhale leftMost_V0_CN3 == 0 + + // self_V0_CN0 = self_V0 + self_V0_CN0 := self_V0 + + // v_V0_CN1 = v_V0 + v_V0_CN1 := v_V0 + + // decl + + // unfold acc(tree_d081ef35_F(self_V0_CN0)) + unfold acc(tree_d081ef35_F(self_V0_CN0), write) + + // if(*self_V0_CN0.LeftA != (nil:*Tree_d081ef35_T@°)) {...} else {...} + if (!((ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N10: *Tree_d081ef35_T@°°, N11: int°° + { + var N11: Int + var N10: ShStruct3[Ref, Ref, Ref] + + // N10, N11 = *self_V0_CN0.LeftAdeleteLeftMost(v_V0_CN1) + N10, N11 := deleteLeftMost_d081ef35_PMTree((ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$, + v_V0_CN1) + + // *self_V0_CN0.LeftA = N10 + (ShStructget0of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ := N10 + + // leftMost_V0_CN3 = N11 + leftMost_V0_CN3 := N11 + + // fold acc(tree_d081ef35_F(self_V0_CN0)) + fold acc(tree_d081ef35_F(self_V0_CN0), write) + + // res_V0_CN2 = self_V0_CN0 + res_V0_CN2 := self_V0_CN0 + } + } else { + + // if(*self_V0_CN0.RightA != (nil:*Tree_d081ef35_T@°)) {...} else {...} + if (!((ShStructget2of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$())) { + + // decl N8: *Tree_d081ef35_T@°°, N9: int°° + { + var N9: Int + var N8: ShStruct3[Ref, Ref, Ref] + + // N8 = *self_V0_CN0.RightA + N8 := (ShStructget2of3(self_V0_CN0): Ref).PointerDefinedTree_d081ef35_T$$$_S_$$$$$$$_E_$$$ + + // N9 = *self_V0_CN0.ValueA + N9 := (ShStructget1of3(self_V0_CN0): Ref).Intint$$$$_E_$$$ + + // res_V0_CN2 = N8 + res_V0_CN2 := N8 + + // leftMost_V0_CN3 = N9 + leftMost_V0_CN3 := N9 + } + } else { + + // decl N6: *Tree_d081ef35_T@°°, N7: int°° + { + var N7: Int + var N6: ShStruct3[Ref, Ref, Ref] + + // N6 = (nil:*Tree_d081ef35_T@°) + N6 := shStructDefault_$LeftA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$_ValueA_Intint$$$_S_$$$_RightA_PointerDefinedTree_d081ef35_T$$$_S_$$$$$$_S_$$$$() + + // N7 = *self_V0_CN0.ValueA + N7 := (ShStructget1of3(self_V0_CN0): Ref).Intint$$$$_E_$$$ + + // res_V0_CN2 = N6 + res_V0_CN2 := N6 + + // leftMost_V0_CN3 = N7 + leftMost_V0_CN3 := N7 + } + } + } + + // res_V0_CN2 = res_V0_CN2 + res_V0_CN2 := res_V0_CN2 + + // leftMost_V0_CN3 = leftMost_V0_CN3 + leftMost_V0_CN3 := leftMost_V0_CN3 + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN2 + res_V0 := res_V0_CN2 + + // leftMost_V0 = leftMost_V0_CN3 + leftMost_V0 := leftMost_V0_CN3 + } +} + +method $IMPORTS_d081ef35_d081ef35() +{ + + // decl + { + + + label returnLabel + } +} + +method $IMPORTS_d081ef35_bffb141e() +{ + + // decl + { + + + label returnLabel + } +} + +// decreases +method $INIT_d081ef35_494e8976() +{ + + // decl + { + + + label returnLabel + } +} + +method panic_bffb141e_F(v_V0: Tuple2[Ref, Types]) + requires false + + +// decreases +method Error_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]) + returns (P0_PO0: Int) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + ensures acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + + +// decreases +method Duplicate_bffb141e_SY$c04328b0_bffb141e_(thisItf: Tuple2[Ref, Types]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + ensures acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + ensures IsDuplicableMem_bffb141e_SY$c04328b0_bffb141e_(thisItf) ==> + acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), write) + + +// decreases +method IsDuplicableMem_bffb141e_SY$c04328b0_bffb141e__pres_termination_proof(thisItf: Tuple2[Ref, Types]) +{ + var $condInEx: Bool + if (!(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) { + inhale acc(ErrorMem_bffb141e_SY$c04328b0_bffb141e_(thisItf), wildcard) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/gobra/initiator_main.go.vpr b/src/test/resources/biabduction/frontends/gobra/initiator_main.go.vpr new file mode 100644 index 00000000..2839398c --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/initiator_main.go.vpr @@ -0,0 +1,8250 @@ +domain String { + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit(): Int + + unique function stringLit537563636573732053656e64696e672052657175657374(): Int + + unique function stringLit5375636365737320436f6e73756d696e6720526573706f6e7365(): Int + + unique function stringLit4e6f6973655f494b70736b325f32353531395f436861436861506f6c795f424c414b453273(): Int + + unique function stringLit576972654775617264207631207a78326334204a61736f6e407a783263342e636f6d(): Int + + axiom { + (forall l: Int, r: Int :: { strLen(strConcat(l, r)) } strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit537563636573732053656e64696e672052657175657374()) == 23 + } + + axiom { + strLen(stringLit5375636365737320436f6e73756d696e6720526573706f6e7365()) == 26 + } + + axiom { + strLen(stringLit4e6f6973655f494b70736b325f32353531395f436861436861506f6c795f424c414b453273()) == 37 + } + + axiom { + strLen(stringLit576972654775617264207631207a78326334204a61736f6e407a783263342e636f6d()) == 34 + } +} + +domain Types { + + function empty_interface_Types(): Types + + unique function empty_interface_Types_tag(): Int + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + function nil_Types(): Types + + unique function nil_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + function tag_Types(t: Types): Int + + axiom { + (forall a: Types :: { behavioral_subtype_Types(a, empty_interface_Types()) } behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + (forall a: Types :: { behavioral_subtype_Types(a, a) } behavioral_subtype_Types(a, a)) + } + + axiom { + (forall a: Types, b: Types, c: Types :: { behavioral_subtype_Types(a, b),behavioral_subtype_Types(b, c) } behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> behavioral_subtype_Types(a, c)) + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } +} + +domain Emb_1_Intbyte$$$_S_$$$ { + + +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: { (eq(x, y): Bool) } (eq(x, y): Bool) == ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget0of4(x): T0) } (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget1of4(x): T1) } (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget2of4(x): T2) } (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget3of4(x): T3) } (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == x) + } +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: { (eq(x, y): Bool) } (eq(x, y): Bool) == ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget0of5(x): T0) } (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget1of5(x): T1) } (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget2of5(x): T2) } (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget3of5(x): T3) } (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget4of5(x): T4) } (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } +} + +domain ShStruct7[T0, T1, T2, T3, T4, T5, T6] { + + function ShStructrev0of7(v0: T0): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev1of7(v1: T1): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev2of7(v2: T2): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev3of7(v3: T3): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev4of7(v4: T4): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev5of7(v5: T5): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev6of7(v6: T6): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructget0of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T0 + + function ShStructget1of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T1 + + function ShStructget2of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T2 + + function ShStructget3of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T3 + + function ShStructget4of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T4 + + function ShStructget5of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T5 + + function ShStructget6of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T6 + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6], y: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (eq(x, y): Bool) } (eq(x, y): Bool) == ((ShStructget0of7(x): T0) == (ShStructget0of7(y): T0) && (ShStructget1of7(x): T1) == (ShStructget1of7(y): T1) && (ShStructget2of7(x): T2) == (ShStructget2of7(y): T2) && (ShStructget3of7(x): T3) == (ShStructget3of7(y): T3) && (ShStructget4of7(x): T4) == (ShStructget4of7(y): T4) && (ShStructget5of7(x): T5) == (ShStructget5of7(y): T5) && (ShStructget6of7(x): T6) == (ShStructget6of7(y): T6))) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget0of7(x): T0) } (ShStructrev0of7((ShStructget0of7(x): T0)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget1of7(x): T1) } (ShStructrev1of7((ShStructget1of7(x): T1)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget2of7(x): T2) } (ShStructrev2of7((ShStructget2of7(x): T2)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget3of7(x): T3) } (ShStructrev3of7((ShStructget3of7(x): T3)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget4of7(x): T4) } (ShStructrev4of7((ShStructget4of7(x): T4)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget5of7(x): T5) } (ShStructrev5of7((ShStructget5of7(x): T5)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget6of7(x): T6) } (ShStructrev6of7((ShStructget6of7(x): T6)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: { (eq(l, r): Bool) } (eq(l, r): Bool) == (l == r)) + } +} + +domain Tuple5[T0, T1, T2, T3, T4] { + + function tuple5(t0: T0, t1: T1, t2: T2, t3: T3, t4: T4): Tuple5[T0, T1, T2, T3, T4] + + function get0of5(p: Tuple5[T0, T1, T2, T3, T4]): T0 + + function get1of5(p: Tuple5[T0, T1, T2, T3, T4]): T1 + + function get2of5(p: Tuple5[T0, T1, T2, T3, T4]): T2 + + function get3of5(p: Tuple5[T0, T1, T2, T3, T4]): T3 + + function get4of5(p: Tuple5[T0, T1, T2, T3, T4]): T4 + + axiom getter_over_tuple5 { + (forall t0: T0, t1: T1, t2: T2, t3: T3, t4: T4 :: { (tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4]) } (get0of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T0) == t0 && (get1of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T1) == t1 && (get2of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T2) == t2 && (get3of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T3) == t3 && (get4of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T4) == t4) + } + + axiom tuple5_over_getter { + (forall p: Tuple5[T0, T1, T2, T3, T4] :: { (get0of5(p): T0) } { (get1of5(p): T1) } { (get2of5(p): T2) } { (get3of5(p): T3) } { (get4of5(p): T4) } (tuple5((get0of5(p): T0), (get1of5(p): T1), (get2of5(p): T2), (get3of5(p): T3), (get4of5(p): T4)): Tuple5[T0, T1, T2, T3, T4]) == p) + } +} + +domain Tuple7[T0, T1, T2, T3, T4, T5, T6] { + + function tuple7(t0: T0, t1: T1, t2: T2, t3: T3, t4: T4, t5: T5, t6: T6): Tuple7[T0, T1, T2, T3, T4, T5, T6] + + function get0of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T0 + + function get1of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T1 + + function get2of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T2 + + function get3of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T3 + + function get4of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T4 + + function get5of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T5 + + function get6of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T6 + + axiom getter_over_tuple7 { + (forall t0: T0, t1: T1, t2: T2, t3: T3, t4: T4, t5: T5, t6: T6 :: { (tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6]) } (get0of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T0) == t0 && (get1of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T1) == t1 && (get2of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T2) == t2 && (get3of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T3) == t3 && (get4of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T4) == t4 && (get5of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T5) == t5 && (get6of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T6) == t6) + } + + axiom tuple7_over_getter { + (forall p: Tuple7[T0, T1, T2, T3, T4, T5, T6] :: { (get0of7(p): T0) } { (get1of7(p): T1) } { (get2of7(p): T2) } { (get3of7(p): T3) } { (get4of7(p): T4) } { (get5of7(p): T5) } { (get6of7(p): T6) } (tuple7((get0of7(p): T0), (get1of7(p): T1), (get2of7(p): T2), (get3of7(p): T3), (get4of7(p): T4), (get5of7(p): T5), (get6of7(p): T6)): Tuple7[T0, T1, T2, T3, T4, T5, T6]) == p) + } +} + +domain Tuple4[T0, T1, T2, T3] { + + function tuple4(t0: T0, t1: T1, t2: T2, t3: T3): Tuple4[T0, T1, T2, T3] + + function get0of4(p: Tuple4[T0, T1, T2, T3]): T0 + + function get1of4(p: Tuple4[T0, T1, T2, T3]): T1 + + function get2of4(p: Tuple4[T0, T1, T2, T3]): T2 + + function get3of4(p: Tuple4[T0, T1, T2, T3]): T3 + + axiom getter_over_tuple4 { + (forall t0: T0, t1: T1, t2: T2, t3: T3 :: { (tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3]) } (get0of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T0) == t0 && (get1of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T1) == t1 && (get2of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T2) == t2 && (get3of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T3) == t3) + } + + axiom tuple4_over_getter { + (forall p: Tuple4[T0, T1, T2, T3] :: { (get0of4(p): T0) } { (get1of4(p): T1) } { (get2of4(p): T2) } { (get3of4(p): T3) } (tuple4((get0of4(p): T0), (get1of4(p): T1), (get2of4(p): T2), (get3of4(p): T3)): Tuple4[T0, T1, T2, T3]) == p) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: { (tuple2(t0, t1): Tuple2[T0, T1]) } (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: { (get0of2(p): T0) } { (get1of2(p): T1) } (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ConstantMacSize_c7a67a88_G { + + function constant_MacSize_c7a67a88_G(): Int + + axiom get_constantMacSize_c7a67a88_G { + constant_MacSize_c7a67a88_G() == 16 + } +} + +domain ConstantNonceSize_c7a67a88_G { + + function constant_NonceSize_c7a67a88_G(): Int + + axiom get_constantNonceSize_c7a67a88_G { + constant_NonceSize_c7a67a88_G() == 12 + } +} + +domain ConstantKeySize_c7a67a88_G { + + function constant_KeySize_c7a67a88_G(): Int + + axiom get_constantKeySize_c7a67a88_G { + constant_KeySize_c7a67a88_G() == 32 + } +} + +domain ConstantHashSize_c7a67a88_G { + + function constant_HashSize_c7a67a88_G(): Int + + axiom get_constantHashSize_c7a67a88_G { + constant_HashSize_c7a67a88_G() == 32 + } +} + +domain ConstantwireguardString_c7a67a88_G { + + function constant_wireguardString_c7a67a88_G(): Int + + axiom get_constantwireguardString_c7a67a88_G { + constant_wireguardString_c7a67a88_G() == stringLit4e6f6973655f494b70736b325f32353531395f436861436861506f6c795f424c414b453273() + } +} + +domain ConstantpreludeString_c7a67a88_G { + + function constant_preludeString_c7a67a88_G(): Int + + axiom get_constantpreludeString_c7a67a88_G { + constant_preludeString_c7a67a88_G() == stringLit576972654775617264207631207a78326334204a61736f6e407a783263342e636f6d() + } +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function soffset(s: Slice[T]): Int + + function slen(s: Slice[T]): Int + + function scap(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } { (scap(s): Int) } (slen(s): Int) <= (scap(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int),(scap(s): Int) } { (ShArraylen((sarray(s): ShArray[T])): Int) } (soffset(s): Int) + (scap(s): Int) <= (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: { (smake(a, o, l, c): Slice[T]) } 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a && ((soffset((smake(a, o, l, c): Slice[T])): Int) == o && ((slen((smake(a, o, l, c): Slice[T])): Int) == l && (scap((smake(a, o, l, c): Slice[T])): Int) == c))) + } + + axiom { + (forall s: Slice[T] :: { (sarray(s): ShArray[T]) } { (soffset(s): Int) } { (slen(s): Int) } { (scap(s): Int) } s == (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraylen(a: ShArray[T]): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraysecond(r: T): Int + + axiom { + (forall a: ShArray[T], i: Int :: { (ShArrayloc(a, i): T) } 0 <= i && i < (ShArraylen(a): Int) ==> (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } + + axiom { + (forall a: ShArray[T] :: { (ShArraylen(a): Int) } (ShArraylen(a): Int) >= 0) + } +} + +domain D$96de1481_db7e1422_ { + + function const_g_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_00_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_p_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_i_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_1_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_0_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_2_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_e_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_Init_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_Resp_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_4_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function pub_msg_db7e1422_F(P0_PI0: Int): D$96de1481_db7e1422_ + + function pub_integer64_db7e1422_F(P0_PI0: Int): D$96de1481_db7e1422_ + + function pub_integer32_db7e1422_F(P0_PI0: Int): D$96de1481_db7e1422_ + + function dfltD$96de1481_db7e1422_(): D$96de1481_db7e1422_ +} + +domain D$f64ace72_9e8b0260_ { + + function fr_msg_9e8b0260_F(P0_PI0: Int): D$f64ace72_9e8b0260_ + + function fr_integer64_9e8b0260_F(P0_PI0: Int): D$f64ace72_9e8b0260_ + + function fr_integer32_9e8b0260_F(P0_PI0: Int): D$f64ace72_9e8b0260_ + + function dfltD$f64ace72_9e8b0260_(): D$f64ace72_9e8b0260_ +} + +domain D$9084e2f5_1186dc0d_ { + + function freshTerm_1186dc0d_F(f_V0: D$f64ace72_9e8b0260_): D$9084e2f5_1186dc0d_ + + function getFreshTerm_1186dc0d_F(t_V0: D$9084e2f5_1186dc0d_): D$f64ace72_9e8b0260_ + + function pubTerm_1186dc0d_F(p_V0: D$96de1481_db7e1422_): D$9084e2f5_1186dc0d_ + + function getPubTerm_1186dc0d_F(t_V0: D$9084e2f5_1186dc0d_): D$96de1481_db7e1422_ + + function aead_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function decrypt_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex11_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex12_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex13_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex14_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex15_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex16_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex17_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex21_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex22_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex23_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex24_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex25_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex26_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex27_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex41_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex42_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex43_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex44_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function exp_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function extract_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function format1_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function format2_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function format4_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function fst_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function h_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function h__1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function inv_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1__1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2__1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf3_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function one_1186dc0d_F(): D$9084e2f5_1186dc0d_ + + function pair_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function snd_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ok_1186dc0d_F(): D$9084e2f5_1186dc0d_ + + function verify_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function Mult_1186dc0d_F(x_V0: D$9084e2f5_1186dc0d_, y_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function dfltD$9084e2f5_1186dc0d_(): D$9084e2f5_1186dc0d_ + + axiom { + (forall f_V0: D$f64ace72_9e8b0260_ :: { freshTerm_1186dc0d_F(f_V0) } getFreshTerm_1186dc0d_F(freshTerm_1186dc0d_F(f_V0)) == f_V0) + } + + axiom { + (forall p_V0: D$96de1481_db7e1422_ :: { pubTerm_1186dc0d_F(p_V0) } getPubTerm_1186dc0d_F(pubTerm_1186dc0d_F(p_V0)) == p_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, x_3_V0)) } Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, x_3_V0)) == Mult_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0), x_3_V0)) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, x_2_V0) } Mult_1186dc0d_F(x_1_V0, x_2_V0) == Mult_1186dc0d_F(x_2_V0, x_1_V0)) + } + + axiom { + (forall a_V0: D$9084e2f5_1186dc0d_, k_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_ :: { decrypt_1186dc0d_F(k_V0, n_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) } decrypt_1186dc0d_F(k_V0, n_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) == p_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex11_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex11_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x1_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex12_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex12_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x2_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex13_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex13_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x3_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex14_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex14_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x4_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex15_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex15_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x5_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex16_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex16_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x6_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex17_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex17_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x7_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex21_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex21_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x1_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex22_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex22_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x2_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex23_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex23_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x3_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex24_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex24_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x4_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex25_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex25_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x5_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex26_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex26_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x6_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex27_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex27_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x7_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex41_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex41_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x1_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex42_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex42_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x2_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex43_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex43_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x3_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex44_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex44_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x4_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { exp_1186dc0d_F(x_1_V0, one_1186dc0d_F()) } exp_1186dc0d_F(x_1_V0, one_1186dc0d_F()) == x_1_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { exp_1186dc0d_F(exp_1186dc0d_F(x_1_V0, x_2_V0), x_3_V0) } exp_1186dc0d_F(exp_1186dc0d_F(x_1_V0, x_2_V0), x_3_V0) == exp_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, x_3_V0))) + } + + axiom { + (forall a_V0: D$9084e2f5_1186dc0d_, k_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_ :: { extract_1186dc0d_F(aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) } extract_1186dc0d_F(aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) == a_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { fst_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) } fst_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) == x_1_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { inv_1186dc0d_F(inv_1186dc0d_F(x_1_V0)) } inv_1186dc0d_F(inv_1186dc0d_F(x_1_V0)) == x_1_V0) + } + + axiom { + inv_1186dc0d_F(one_1186dc0d_F()) == one_1186dc0d_F() + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { inv_1186dc0d_F(Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) } inv_1186dc0d_F(Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) == Mult_1186dc0d_F(x_1_V0, inv_1186dc0d_F(x_2_V0))) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { snd_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) } snd_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) == x_2_V0) + } + + axiom { + (forall a_V0: D$9084e2f5_1186dc0d_, k_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_ :: { verify_1186dc0d_F(k_V0, n_V0, a_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) } verify_1186dc0d_F(k_V0, n_V0, a_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) == ok_1186dc0d_F()) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) } Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) == x_2_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, inv_1186dc0d_F(x_1_V0)) } Mult_1186dc0d_F(x_1_V0, inv_1186dc0d_F(x_1_V0)) == one_1186dc0d_F()) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, one_1186dc0d_F()) } Mult_1186dc0d_F(x_1_V0, one_1186dc0d_F()) == x_1_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_2_V0, Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0)))) } Mult_1186dc0d_F(x_2_V0, Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0)))) == Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(x_1_V0))) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0))) } Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0))) == inv_1186dc0d_F(x_1_V0)) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_3_V0, Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0))) } Mult_1186dc0d_F(x_3_V0, Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0))) == Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0)))) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0)) } Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0)) == inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0))) + } +} + +domain D$46be403b_2716b91c_ { + + function SendSIDI_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSendSIDI_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function OutFormat1_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getOutFormat1_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function Commit_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getCommit_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function Secret_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSecret_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function InFormat2_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getInFormat2_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function SentFirstInit_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSentFirstInit_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function Running_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getRunning_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function OutFormat4_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getOutFormat4_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function SentInitLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSentInitLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function AlreadyKnownSIDR_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getAlreadyKnownSIDR_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function ReceivedInitLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getReceivedInitLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function InFormat4_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getInFormat4_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function InFormat1_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getInFormat1_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function SendSIDR_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSendSIDR_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function OutFormat2_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getOutFormat2_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function ReceivedFirstResp_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getReceivedFirstResp_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function SentRespLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSentRespLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function AlreadyKnownSIDI_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getAlreadyKnownSIDI_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function ReceivedRespLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getReceivedRespLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function dfltD$46be403b_2716b91c_(): D$46be403b_2716b91c_ + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { SendSIDI_2716b91c_F(t1_V0) } getSendSIDI_2716b91c_F(SendSIDI_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { OutFormat1_2716b91c_F(t1_V0) } getOutFormat1_2716b91c_F(OutFormat1_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { Commit_2716b91c_F(t1_V0, t2_V0, t3_V0) } getCommit_2716b91c_F(Commit_2716b91c_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { Secret_2716b91c_F(t1_V0, t2_V0, t3_V0) } getSecret_2716b91c_F(Secret_2716b91c_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { InFormat2_2716b91c_F(t1_V0) } getInFormat2_2716b91c_F(InFormat2_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_ :: { SentFirstInit_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getSentFirstInit_2716b91c_F(SentFirstInit_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { Running_2716b91c_F(t1_V0, t2_V0, t3_V0) } getRunning_2716b91c_F(Running_2716b91c_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { OutFormat4_2716b91c_F(t1_V0) } getOutFormat4_2716b91c_F(OutFormat4_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { SentInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getSentInitLoop_2716b91c_F(SentInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { AlreadyKnownSIDR_2716b91c_F(t1_V0) } getAlreadyKnownSIDR_2716b91c_F(AlreadyKnownSIDR_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { ReceivedInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getReceivedInitLoop_2716b91c_F(ReceivedInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { InFormat4_2716b91c_F(t1_V0) } getInFormat4_2716b91c_F(InFormat4_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { InFormat1_2716b91c_F(t1_V0) } getInFormat1_2716b91c_F(InFormat1_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { SendSIDR_2716b91c_F(t1_V0) } getSendSIDR_2716b91c_F(SendSIDR_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { OutFormat2_2716b91c_F(t1_V0) } getOutFormat2_2716b91c_F(OutFormat2_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_ :: { ReceivedFirstResp_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getReceivedFirstResp_2716b91c_F(ReceivedFirstResp_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { SentRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getSentRespLoop_2716b91c_F(SentRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { AlreadyKnownSIDI_2716b91c_F(t1_V0) } getAlreadyKnownSIDI_2716b91c_F(AlreadyKnownSIDI_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { ReceivedRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getReceivedRespLoop_2716b91c_F(ReceivedRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } +} + +domain D$226445f2_3e61b158_ { + + function Setup_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSetup_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtK_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtK_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtpK_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtpK_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function PsK_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getPsK_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function FrFact_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getFrFact_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Timestamp_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getTimestamp_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function MAC_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMAC_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Init_1_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Init_1_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function OutFact_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getOutFact_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function InFact_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getInFact_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Init_2_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Init_2_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Message_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMessage_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Init_3_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Init_3_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Counter_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getCounter_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Setup_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSetup_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtK_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtK_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtpK_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtpK_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function PsK_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getPsK_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function InFact_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getInFact_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Resp_1_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_, t12_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Resp_1_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function FrFact_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getFrFact_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function MAC_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMAC_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Resp_2_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Resp_2_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function OutFact_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getOutFact_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Resp_3_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Resp_3_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Counter_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getCounter_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Message_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMessage_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function getTag_3e61b158_F(f_V0: D$226445f2_3e61b158_): Int + + function persistent_3e61b158_F(f_V0: D$226445f2_3e61b158_): Bool + + function dfltD$226445f2_3e61b158_(): D$226445f2_3e61b158_ + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_ :: { Setup_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getSetup_Init_3e61b158_F(Setup_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) && getTag_3e61b158_F(Setup_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == 0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtK_Init_3e61b158_F(LtK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 1) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtpK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtpK_Init_3e61b158_F(LtpK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtpK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 2) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_ :: { PsK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0) } getPsK_Init_3e61b158_F(PsK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0) && getTag_3e61b158_F(PsK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == 3) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { FrFact_Init_3e61b158_F(t1_V0, t2_V0) } getFrFact_Init_3e61b158_F(FrFact_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(FrFact_Init_3e61b158_F(t1_V0, t2_V0)) == 4) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Timestamp_Init_3e61b158_F(t1_V0, t2_V0) } getTimestamp_Init_3e61b158_F(Timestamp_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Timestamp_Init_3e61b158_F(t1_V0, t2_V0)) == 5) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { MAC_Init_3e61b158_F(t1_V0, t2_V0) } getMAC_Init_3e61b158_F(MAC_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(MAC_Init_3e61b158_F(t1_V0, t2_V0)) == 6) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_ :: { St_Init_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0) } getSt_Init_1_3e61b158_F(St_Init_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0) && getTag_3e61b158_F(St_Init_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0)) == 7) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { OutFact_Init_3e61b158_F(t1_V0, t2_V0) } getOutFact_Init_3e61b158_F(OutFact_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(OutFact_Init_3e61b158_F(t1_V0, t2_V0)) == 8) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { InFact_Init_3e61b158_F(t1_V0, t2_V0) } getInFact_Init_3e61b158_F(InFact_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(InFact_Init_3e61b158_F(t1_V0, t2_V0)) == 9) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Init_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Init_2_3e61b158_F(St_Init_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Init_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 10) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Message_Init_3e61b158_F(t1_V0, t2_V0) } getMessage_Init_3e61b158_F(Message_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Message_Init_3e61b158_F(t1_V0, t2_V0)) == 11) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Init_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Init_3_3e61b158_F(St_Init_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Init_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 12) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Counter_Init_3e61b158_F(t1_V0, t2_V0) } getCounter_Init_3e61b158_F(Counter_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Counter_Init_3e61b158_F(t1_V0, t2_V0)) == 13) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_ :: { Setup_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getSetup_Resp_3e61b158_F(Setup_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) && getTag_3e61b158_F(Setup_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == 14) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtK_Resp_3e61b158_F(LtK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 15) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtpK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtpK_Resp_3e61b158_F(LtpK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtpK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 16) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_ :: { PsK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0) } getPsK_Resp_3e61b158_F(PsK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0) && getTag_3e61b158_F(PsK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == 17) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { InFact_Resp_3e61b158_F(t1_V0, t2_V0) } getInFact_Resp_3e61b158_F(InFact_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(InFact_Resp_3e61b158_F(t1_V0, t2_V0)) == 18) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_, t12_V0: D$9084e2f5_1186dc0d_ :: { St_Resp_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0) } getSt_Resp_1_3e61b158_F(St_Resp_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0) && getTag_3e61b158_F(St_Resp_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0)) == 19) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { FrFact_Resp_3e61b158_F(t1_V0, t2_V0) } getFrFact_Resp_3e61b158_F(FrFact_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(FrFact_Resp_3e61b158_F(t1_V0, t2_V0)) == 20) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { MAC_Resp_3e61b158_F(t1_V0, t2_V0) } getMAC_Resp_3e61b158_F(MAC_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(MAC_Resp_3e61b158_F(t1_V0, t2_V0)) == 21) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Resp_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Resp_2_3e61b158_F(St_Resp_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Resp_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 22) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { OutFact_Resp_3e61b158_F(t1_V0, t2_V0) } getOutFact_Resp_3e61b158_F(OutFact_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(OutFact_Resp_3e61b158_F(t1_V0, t2_V0)) == 23) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Resp_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Resp_3_3e61b158_F(St_Resp_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Resp_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 24) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Counter_Resp_3e61b158_F(t1_V0, t2_V0) } getCounter_Resp_3e61b158_F(Counter_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Counter_Resp_3e61b158_F(t1_V0, t2_V0)) == 25) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Message_Resp_3e61b158_F(t1_V0, t2_V0) } getMessage_Resp_3e61b158_F(Message_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Message_Resp_3e61b158_F(t1_V0, t2_V0)) == 26) + } + + axiom { + (forall f_V0: D$226445f2_3e61b158_ :: { persistent_3e61b158_F(f_V0) } persistent_3e61b158_F(f_V0) == (getTag_3e61b158_F(f_V0) == 1 || getTag_3e61b158_F(f_V0) == 2 || getTag_3e61b158_F(f_V0) == 3 || getTag_3e61b158_F(f_V0) == 15 || getTag_3e61b158_F(f_V0) == 16 || getTag_3e61b158_F(f_V0) == 17)) + } +} + +domain D$f32adf68_d2674021_ { + + function tuple2_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function tuple4_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function tuple5_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_, P4_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function tuple7_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_, P4_PI0: D$9084e2f5_1186dc0d_, P5_PI0: D$9084e2f5_1186dc0d_, P6_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function hash_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function hash__d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1__d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2__d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf3_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ok_d2674021_F(): D$9084e2f5_1186dc0d_ + + function aead_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function const1_d2674021_F(): D$9084e2f5_1186dc0d_ + + function exp_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function mult_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function msg_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function zeroString_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function integer64_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function integer32_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function infoTerm_d2674021_F(): D$9084e2f5_1186dc0d_ + + function prologueTerm_d2674021_F(): D$9084e2f5_1186dc0d_ + + function generator_d2674021_F(): D$9084e2f5_1186dc0d_ + + function decrypt_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function verify_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function inv_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getFirst_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getSecond_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getThird_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getForth_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getFifth_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getSixth_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getSeventh_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function dfltD$f32adf68_d2674021_(): D$f32adf68_d2674021_ + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { tuple2_d2674021_F(x1_V0, x2_V0) } tuple2_d2674021_F(x1_V0, x2_V0) == pair_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { tuple4_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) } tuple4_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) == format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_ :: { tuple5_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0) } tuple5_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0) == pair_1186dc0d_F(x1_V0, pair_1186dc0d_F(x2_V0, pair_1186dc0d_F(x3_V0, pair_1186dc0d_F(x4_V0, x5_V0))))) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { tuple7_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) } (x1_V0 == pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()) ? tuple7_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) == format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) : true) && (x1_V0 == pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()) ? tuple7_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) == format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) : true)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { hash_d2674021_F(x1_V0, x2_V0) } hash_d2674021_F(x1_V0, x2_V0) == h_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { hash__d2674021_F(x_V0) } hash__d2674021_F(x_V0) == h__1186dc0d_F(x_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { kdf1_d2674021_F(x1_V0, x2_V0) } kdf1_d2674021_F(x1_V0, x2_V0) == kdf1_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { kdf1__d2674021_F(x_V0) } kdf1__d2674021_F(x_V0) == kdf1__1186dc0d_F(x_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { kdf2_d2674021_F(x1_V0, x2_V0) } kdf2_d2674021_F(x1_V0, x2_V0) == kdf2_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { kdf2__d2674021_F(x_V0) } kdf2__d2674021_F(x_V0) == kdf2__1186dc0d_F(x_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { kdf3_d2674021_F(x1_V0, x2_V0) } kdf3_d2674021_F(x1_V0, x2_V0) == kdf3_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + ok_d2674021_F() == ok_1186dc0d_F() + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { aead_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) } aead_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) == aead_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) + } + + axiom { + const1_d2674021_F() == one_1186dc0d_F() + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { exp_d2674021_F(x1_V0, x2_V0) } exp_d2674021_F(x1_V0, x2_V0) == exp_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { mult_d2674021_F(x1_V0, x2_V0) } mult_d2674021_F(x1_V0, x2_V0) == Mult_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall s_V0: Int :: { msg_d2674021_F(s_V0) } msg_d2674021_F(s_V0) == freshTerm_1186dc0d_F(fr_msg_9e8b0260_F(s_V0))) + } + + axiom { + zeroString_d2674021_F(0) == pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()) + } + + axiom { + zeroString_d2674021_F(12) == pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()) + } + + axiom { + integer64_d2674021_F(0) == pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()) + } + + axiom { + integer32_d2674021_F(1) == pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()) + } + + axiom { + integer32_d2674021_F(2) == pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()) + } + + axiom { + integer32_d2674021_F(4) == pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()) + } + + axiom { + (forall i_V0: Int :: { integer32_d2674021_F(i_V0) } (!(i_V0 == 1) && !(i_V0 == 2) && !(i_V0 == 4) ? integer32_d2674021_F(i_V0) == freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(i_V0)) : true)) + } + + axiom { + infoTerm_d2674021_F() == pubTerm_1186dc0d_F(const_i_pub_db7e1422_F()) + } + + axiom { + prologueTerm_d2674021_F() == pubTerm_1186dc0d_F(const_p_pub_db7e1422_F()) + } + + axiom { + generator_d2674021_F() == pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_ :: { decrypt_d2674021_F(x1_V0, x2_V0, x3_V0) } { decrypt_1186dc0d_F(x1_V0, x2_V0, x3_V0) } decrypt_d2674021_F(x1_V0, x2_V0, x3_V0) == decrypt_1186dc0d_F(x1_V0, x2_V0, x3_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { verify_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) } { verify_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0) } verify_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) == verify_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { inv_d2674021_F(x_V0) } inv_d2674021_F(x_V0) == inv_1186dc0d_F(x_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { tuple2_d2674021_F(t1_V0, t2_V0) } getFirst_d2674021_F(tuple2_d2674021_F(t1_V0, t2_V0)) == t1_V0 && getSecond_d2674021_F(tuple2_d2674021_F(t1_V0, t2_V0)) == t2_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_ :: { tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0) } getFirst_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t1_V0 && getSecond_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t2_V0 && getThird_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t3_V0 && getForth_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t4_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_ :: { tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getFirst_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t1_V0 && getSecond_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t2_V0 && getThird_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t3_V0 && getForth_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t4_V0 && getFifth_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t5_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_ :: { tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getFirst_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t1_V0 && getSecond_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t2_V0 && getThird_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t3_V0 && getForth_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t4_V0 && getFifth_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t5_V0 && getSixth_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t6_V0 && getSeventh_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t7_V0) + } +} + +domain D$8d64a7ad_b3aa12e7_ { + + function tuple2B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function tuple4B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function tuple5B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_, P4_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function tuple7B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_, P4_PI0: D$8d64a7ad_b3aa12e7_, P5_PI0: D$8d64a7ad_b3aa12e7_, P6_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function hashB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function hashB__b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf1B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf1B__b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf2B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf2B__b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf3B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function okB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function aeadB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function const1B_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function expB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function multB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function msgB_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function zeroStringB_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function integer64B_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function integer32B_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function infoBytesB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function prologueBytesB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function generatorB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function getFirstB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getSecondB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getThirdB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getForthB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getFifthB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getSixthB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getSeventhB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function decryptB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function verifyB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function invB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function dfltD$8d64a7ad_b3aa12e7_(): D$8d64a7ad_b3aa12e7_ + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_ :: { tuple2B_b3aa12e7_F(t1_V0, t2_V0) } getFirstB_b3aa12e7_F(tuple2B_b3aa12e7_F(t1_V0, t2_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple2B_b3aa12e7_F(t1_V0, t2_V0)) == t2_V0) + } + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_, t3_V0: D$8d64a7ad_b3aa12e7_, t4_V0: D$8d64a7ad_b3aa12e7_ :: { tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0) } getFirstB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t2_V0 && getThirdB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t3_V0 && getForthB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t4_V0) + } + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_, t3_V0: D$8d64a7ad_b3aa12e7_, t4_V0: D$8d64a7ad_b3aa12e7_, t5_V0: D$8d64a7ad_b3aa12e7_ :: { tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getFirstB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t2_V0 && getThirdB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t3_V0 && getForthB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t4_V0 && getFifthB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t5_V0) + } + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_, t3_V0: D$8d64a7ad_b3aa12e7_, t4_V0: D$8d64a7ad_b3aa12e7_, t5_V0: D$8d64a7ad_b3aa12e7_, t6_V0: D$8d64a7ad_b3aa12e7_, t7_V0: D$8d64a7ad_b3aa12e7_ :: { tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getFirstB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t2_V0 && getThirdB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t3_V0 && getForthB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t4_V0 && getFifthB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t5_V0 && getSixthB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t6_V0 && getSeventhB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t7_V0) + } + + axiom { + (forall key_V0: D$8d64a7ad_b3aa12e7_, nonce_V0: D$8d64a7ad_b3aa12e7_, plaintext_V0: D$8d64a7ad_b3aa12e7_, additionalData_V0: D$8d64a7ad_b3aa12e7_ :: { decryptB_b3aa12e7_F(key_V0, nonce_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) } decryptB_b3aa12e7_F(key_V0, nonce_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) == plaintext_V0) + } + + axiom { + (forall key_V0: D$8d64a7ad_b3aa12e7_, nonce_V0: D$8d64a7ad_b3aa12e7_, plaintext_V0: D$8d64a7ad_b3aa12e7_, additionalData_V0: D$8d64a7ad_b3aa12e7_ :: { verifyB_b3aa12e7_F(key_V0, nonce_V0, additionalData_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) } verifyB_b3aa12e7_F(key_V0, nonce_V0, additionalData_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) == okB_b3aa12e7_F()) + } +} + +domain D$d743aa07_b3aa12e7_ { + + function gamma_b3aa12e7_F(P0_PI0: D$9084e2f5_1186dc0d_): D$8d64a7ad_b3aa12e7_ + + function oneTerm_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$9084e2f5_1186dc0d_ + + function dfltD$d743aa07_b3aa12e7_(): D$d743aa07_b3aa12e7_ + + axiom { + (forall b_V0: D$8d64a7ad_b3aa12e7_ :: { oneTerm_b3aa12e7_F(b_V0) } gamma_b3aa12e7_F(oneTerm_b3aa12e7_F(b_V0)) == b_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple2_d2674021_F(t1_V0, t2_V0)) } gamma_b3aa12e7_F(tuple2_d2674021_F(t1_V0, t2_V0)) == tuple2B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V0), gamma_b3aa12e7_F(t2_V0))) && (forall t1_V1: D$9084e2f5_1186dc0d_, t2_V1: D$9084e2f5_1186dc0d_, t3_V1: D$9084e2f5_1186dc0d_, t4_V1: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple4_d2674021_F(t1_V1, t2_V1, t3_V1, t4_V1)) } gamma_b3aa12e7_F(tuple4_d2674021_F(t1_V1, t2_V1, t3_V1, t4_V1)) == tuple4B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V1), gamma_b3aa12e7_F(t2_V1), gamma_b3aa12e7_F(t3_V1), gamma_b3aa12e7_F(t4_V1))) && (forall t1_V2: D$9084e2f5_1186dc0d_, t2_V2: D$9084e2f5_1186dc0d_, t3_V2: D$9084e2f5_1186dc0d_, t4_V2: D$9084e2f5_1186dc0d_, t5_V2: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple5_d2674021_F(t1_V2, t2_V2, t3_V2, t4_V2, t5_V2)) } gamma_b3aa12e7_F(tuple5_d2674021_F(t1_V2, t2_V2, t3_V2, t4_V2, t5_V2)) == tuple5B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V2), gamma_b3aa12e7_F(t2_V2), gamma_b3aa12e7_F(t3_V2), gamma_b3aa12e7_F(t4_V2), gamma_b3aa12e7_F(t5_V2))) && (forall t1_V3: D$9084e2f5_1186dc0d_, t2_V3: D$9084e2f5_1186dc0d_, t3_V3: D$9084e2f5_1186dc0d_, t4_V3: D$9084e2f5_1186dc0d_, t5_V3: D$9084e2f5_1186dc0d_, t6_V3: D$9084e2f5_1186dc0d_, t7_V3: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple7_d2674021_F(t1_V3, t2_V3, t3_V3, t4_V3, t5_V3, t6_V3, t7_V3)) } gamma_b3aa12e7_F(tuple7_d2674021_F(t1_V3, t2_V3, t3_V3, t4_V3, t5_V3, t6_V3, t7_V3)) == tuple7B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V3), gamma_b3aa12e7_F(t2_V3), gamma_b3aa12e7_F(t3_V3), gamma_b3aa12e7_F(t4_V3), gamma_b3aa12e7_F(t5_V3), gamma_b3aa12e7_F(t6_V3), gamma_b3aa12e7_F(t7_V3))) && (forall k_V4: D$9084e2f5_1186dc0d_, n_V4: D$9084e2f5_1186dc0d_, p_V4: D$9084e2f5_1186dc0d_, a_V4: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(aead_d2674021_F(k_V4, n_V4, p_V4, a_V4)) } gamma_b3aa12e7_F(aead_d2674021_F(k_V4, n_V4, p_V4, a_V4)) == aeadB_b3aa12e7_F(gamma_b3aa12e7_F(k_V4), gamma_b3aa12e7_F(n_V4), gamma_b3aa12e7_F(p_V4), gamma_b3aa12e7_F(a_V4))) && (forall b1_V5: D$9084e2f5_1186dc0d_, b2_V5: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(hash_d2674021_F(b1_V5, b2_V5)) } gamma_b3aa12e7_F(hash_d2674021_F(b1_V5, b2_V5)) == hashB_b3aa12e7_F(gamma_b3aa12e7_F(b1_V5), gamma_b3aa12e7_F(b2_V5))) && (forall b_V6: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(hash__d2674021_F(b_V6)) } gamma_b3aa12e7_F(hash__d2674021_F(b_V6)) == hashB__b3aa12e7_F(gamma_b3aa12e7_F(b_V6))) && (forall b1_V7: D$9084e2f5_1186dc0d_, b2_V7: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf1_d2674021_F(b1_V7, b2_V7)) } gamma_b3aa12e7_F(kdf1_d2674021_F(b1_V7, b2_V7)) == kdf1B_b3aa12e7_F(gamma_b3aa12e7_F(b1_V7), gamma_b3aa12e7_F(b2_V7))) && (forall b_V8: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf1__d2674021_F(b_V8)) } gamma_b3aa12e7_F(kdf1__d2674021_F(b_V8)) == kdf1B__b3aa12e7_F(gamma_b3aa12e7_F(b_V8))) && (forall b1_V9: D$9084e2f5_1186dc0d_, b2_V9: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf2_d2674021_F(b1_V9, b2_V9)) } gamma_b3aa12e7_F(kdf2_d2674021_F(b1_V9, b2_V9)) == kdf2B_b3aa12e7_F(gamma_b3aa12e7_F(b1_V9), gamma_b3aa12e7_F(b2_V9))) && (forall b_V10: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf2__d2674021_F(b_V10)) } gamma_b3aa12e7_F(kdf2__d2674021_F(b_V10)) == kdf2B__b3aa12e7_F(gamma_b3aa12e7_F(b_V10))) && (forall b1_V11: D$9084e2f5_1186dc0d_, b2_V11: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf3_d2674021_F(b1_V11, b2_V11)) } gamma_b3aa12e7_F(kdf3_d2674021_F(b1_V11, b2_V11)) == kdf3B_b3aa12e7_F(gamma_b3aa12e7_F(b1_V11), gamma_b3aa12e7_F(b2_V11))) && gamma_b3aa12e7_F(ok_d2674021_F()) == okB_b3aa12e7_F() && (forall l_V12: Int :: { gamma_b3aa12e7_F(zeroString_d2674021_F(l_V12)) } gamma_b3aa12e7_F(zeroString_d2674021_F(l_V12)) == zeroStringB_b3aa12e7_F(l_V12)) && gamma_b3aa12e7_F(infoTerm_d2674021_F()) == infoBytesB_b3aa12e7_F() && gamma_b3aa12e7_F(prologueTerm_d2674021_F()) == prologueBytesB_b3aa12e7_F() && (forall i_V13: Int :: { gamma_b3aa12e7_F(integer64_d2674021_F(i_V13)) } gamma_b3aa12e7_F(integer64_d2674021_F(i_V13)) == integer64B_b3aa12e7_F(i_V13)) && (forall i_V14: Int :: { gamma_b3aa12e7_F(integer32_d2674021_F(i_V14)) } gamma_b3aa12e7_F(integer32_d2674021_F(i_V14)) == integer32B_b3aa12e7_F(i_V14)) && (forall s_V15: Int :: { gamma_b3aa12e7_F(msg_d2674021_F(s_V15)) } gamma_b3aa12e7_F(msg_d2674021_F(s_V15)) == msgB_b3aa12e7_F(s_V15)) && gamma_b3aa12e7_F(const1_d2674021_F()) == const1B_b3aa12e7_F() && gamma_b3aa12e7_F(generator_d2674021_F()) == generatorB_b3aa12e7_F() && (forall l_V16: D$9084e2f5_1186dc0d_, r_V16: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(exp_d2674021_F(l_V16, r_V16)) } gamma_b3aa12e7_F(exp_d2674021_F(l_V16, r_V16)) == expB_b3aa12e7_F(gamma_b3aa12e7_F(l_V16), gamma_b3aa12e7_F(r_V16))) && (forall l_V17: D$9084e2f5_1186dc0d_, r_V17: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(mult_d2674021_F(l_V17, r_V17)) } gamma_b3aa12e7_F(mult_d2674021_F(l_V17, r_V17)) == multB_b3aa12e7_F(gamma_b3aa12e7_F(l_V17), gamma_b3aa12e7_F(r_V17))) + } +} + +domain D$fe170ee1_c3672ae3_ { + + function place_c3672ae3_F(p_V0: Int): D$fe170ee1_c3672ae3_ + + function dfltD$fe170ee1_c3672ae3_(): D$fe170ee1_c3672ae3_ +} + +domain BoolWellFoundedOrder { + + axiom bool_ax_dec { + (decreasing(false, true): Bool) + } + + axiom bool_ax_bound { + (forall bool1: Bool :: { (bounded(bool1): Bool) } (bounded(bool1): Bool)) + } +} + +domain IntWellFoundedOrder { + + axiom integer_ax_dec { + (forall int1: Int, int2: Int :: { (decreasing(int1, int2): Bool) } int1 < int2 ==> (decreasing(int1, int2): Bool)) + } + + axiom integer_ax_bound { + (forall int1: Int :: { (bounded(int1): Bool) } int1 >= 0 ==> (bounded(int1): Bool)) + } +} + +domain MuliSetWellFoundedOrder[S] { + + axiom multiset_ax_dec { + (forall mSet1: Multiset[S], mSet2: Multiset[S] :: { (decreasing(mSet1, mSet2): Bool) } |mSet1| < |mSet2| ==> (decreasing(mSet1, mSet2): Bool)) + } + + axiom multiset_ax_bound { + (forall mSet1: Multiset[S] :: { (bounded(mSet1): Bool) } (bounded(mSet1): Bool)) + } +} + +domain PredicateInstancesWellFoundedOrder { + + axiom predicate_instances_ax_dec { + (forall l1: PredicateInstance, l2: PredicateInstance :: { nestedPredicates(l1, l2) } (decreasing(l1, l2): Bool) == nestedPredicates(l1, l2)) + } + + axiom predicate_instances_ax_bound { + (forall l1: PredicateInstance :: { (bounded(l1): Bool) } (bounded(l1): Bool)) + } +} + +domain RationalWellFoundedOrder { + + axiom rational_ax_dec { + (forall int1: Perm, int2: Perm :: { (decreasing(int1, int2): Bool) } int1 <= int2 - 1 / 1 ==> (decreasing(int1, int2): Bool)) + } + + axiom rational_ax_bound { + (forall int1: Perm :: { (bounded(int1): Bool) } int1 >= 0 / 1 ==> (bounded(int1): Bool)) + } +} + +domain RefWellFoundedOrder { + + axiom ref_ax_dec { + (forall ref1: Ref :: { (decreasing(null, ref1): Bool) } ref1 != null ==> (decreasing(null, ref1): Bool)) + } + + axiom ref_ax_bound { + (forall ref1: Ref :: { (bounded(ref1): Bool) } (bounded(ref1): Bool)) + } +} + +domain SeqWellFoundedOrder[S] { + + axiom seq_ax_dec { + (forall seq1: Seq[S], seq2: Seq[S] :: { (decreasing(seq1, seq2): Bool) } |seq1| < |seq2| ==> (decreasing(seq1, seq2): Bool)) + } + + axiom seq_ax_bound { + (forall seq1: Seq[S] :: { (bounded(seq1): Bool) } |seq1| >= 0 ==> (bounded(seq1): Bool)) + } +} + +domain SetWellFoundedOrder[S] { + + axiom set_ax_dec { + (forall set1: Set[S], set2: Set[S] :: { (decreasing(set1, set2): Bool) } |set1| < |set2| ==> (decreasing(set1, set2): Bool)) + } + + axiom set_ax_bound { + (forall set1: Set[S] :: { (bounded(set1): Bool) } (bounded(set1): Bool)) + } +} + +domain WellFoundedOrder[T] { + + function decreasing(arg1: T, arg2: T): Bool + + function bounded(arg1: T): Bool +} + +domain PredicateInstancesNestedRelation { + + function nestedPredicates(l1: PredicateInstance, l2: PredicateInstance): Bool + + axiom nestedTrans { + (forall l1: PredicateInstance, l2: PredicateInstance, l3: PredicateInstance :: { nestedPredicates(l1, l2),nestedPredicates(l2, l3) } nestedPredicates(l1, l2) && nestedPredicates(l2, l3) ==> nestedPredicates(l1, l3)) + } + + axiom nestedReflex { + (forall l1: PredicateInstance :: !nestedPredicates(l1, l1)) + } +} + +domain PredicateInstance { + + +} + +field val$_Int: Int + +field val$_Slice_Ref: Slice[Ref] + +function strSlice(s: Int, l: Int, h: Int): Int + requires 0 <= l + requires l <= h + requires h <= strLen(s) + ensures strLen(result) == h - l + + +// decreases _ +function sliceDefault_Intbyte$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_1_Intbyte$$$_S_$$$())) + + +function sconstruct_Ref(a: ShArray[Ref], offset: Int, len: Int, cap: Int): Slice[Ref] + requires 0 <= offset + requires 0 <= len + requires len <= cap + requires offset + cap <= (ShArraylen(a): Int) + ensures (sarray(result): ShArray[Ref]) == a + ensures (soffset(result): Int) == offset + ensures (slen(result): Int) == len + ensures (scap(result): Int) == cap + + +function arrayNil_1_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: { (ShArrayloc(result, idx): Ref) } (ShArrayloc(result, idx): Ref) == null) + + +function box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || x == arrayNil_1_Intbyte$$$_S_$$$() + ensures unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +function unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_1_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || result == arrayNil_1_Intbyte$$$_S_$$$() + ensures box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +// decreases _ +function shStructDefault_$devA_PointerIntint$$$_S_$$$$$$_S_$$$_endpointA_Intint$$$_S_$$$_inputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$_outputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$$(): ShStruct4[Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of4(result): Ref) == null && (ShStructget1of4(result): Ref) == null && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +// decreases _ +function shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct5[Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of5(result): Ref) == null && (ShStructget1of5(result): Ref) == null && (ShStructget2of5(result): Ref) == null && (ShStructget3of5(result): Ref) == null && (ShStructget4of5(result): Ref) == null + + +// decreases _ +function shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$(): ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + ensures true && (ShStructget0of4(result): ShStruct4[Ref, Ref, Ref, Ref]) == shStructDefault_$devA_PointerIntint$$$_S_$$$$$$_S_$$$_endpointA_Intint$$$_S_$$$_inputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$_outputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$$() && (ShStructget1of4(result): ShStruct5[Ref, Ref, Ref, Ref, Ref]) == shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$() && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +// decreases _ +function shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$(): ShStruct4[Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of4(result): Ref) == null && (ShStructget1of4(result): Ref) == null && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +// decreases _ +function shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct5[Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of5(result): Ref) == null && (ShStructget1of5(result): Ref) == null && (ShStructget2of5(result): Ref) == null && (ShStructget3of5(result): Ref) == null && (ShStructget4of5(result): Ref) == null + + +// decreases _ +function shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of7(result): Ref) == null && (ShStructget1of7(result): Ref) == null && (ShStructget2of7(result): Ref) == null && (ShStructget3of7(result): Ref) == null && (ShStructget4of7(result): Ref) == null && (ShStructget5of7(result): Ref) == null && (ShStructget6of7(result): Ref) == null + + +// decreases _ +function shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_EmptyA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of7(result): Ref) == null && (ShStructget1of7(result): Ref) == null && (ShStructget2of7(result): Ref) == null && (ShStructget3of7(result): Ref) == null && (ShStructget4of7(result): Ref) == null && (ShStructget5of7(result): Ref) == null && (ShStructget6of7(result): Ref) == null + + +// decreases _ +function shStructDefault_$TypeA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_NonceA_Intuint64$$$_S_$$$_PayloadA_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct4[Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of4(result): Ref) == null && (ShStructget1of4(result): Ref) == null && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +function getRid_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$9084e2f5_1186dc0d_ + requires acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) +{ + (unfolding acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in integer32_d2674021_F((ShStructget2of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int))) +} + +function getPP_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$9084e2f5_1186dc0d_ + requires acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) +{ + (unfolding acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) in tuple4_d2674021_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F((ShStructget2of4(initiator_V0): Ref).val$_Int)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F((ShStructget3of4(initiator_V0): Ref).val$_Int)), prologueTerm_d2674021_F(), infoTerm_d2674021_F())) +} + +function getNHash_1605c048_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem_1605c048_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem_1605c048_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getNKey_1605c048_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem_1605c048_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem_1605c048_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getEkI_1605c048_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem_1605c048_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem_1605c048_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getSidR_1605c048_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem_1605c048_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem_1605c048_F(hs_V0), wildcard) in integer32B_b3aa12e7_F((ShStructget3of5(hs_V0): Ref).val$_Int)) +} + +function getSidI_1605c048_F(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) +{ + (unfolding acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in integer32B_b3aa12e7_F((ShStructget2of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int))) +} + +function getKI_1605c048_F(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) +{ + (unfolding acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in Abs_c7a67a88_F((ShStructget1of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref))) +} + +function getPkR_1605c048_F(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) +{ + (unfolding acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in Abs_c7a67a88_F((ShStructget4of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref))) +} + +function getPsk_1605c048_F(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) +{ + (unfolding acc(InitiatorMem_1605c048_F(initiator_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in Abs_c7a67a88_F((ShStructget0of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref))) +} + +function persistentFacts_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_]): Multiset[D$226445f2_3e61b158_] + ensures (forall f_V1: D$226445f2_3e61b158_ :: { (f_V1 in result) } (f_V1 in result) == (persistent_3e61b158_F(f_V1) && ((f_V1 in l_V0)) > 0 ? 1 : 0)) + + +function linearFacts_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_]): Multiset[D$226445f2_3e61b158_] + ensures (forall f_V1: D$226445f2_3e61b158_ :: { (f_V1 in result) } (f_V1 in result) == (persistent_3e61b158_F(f_V1) ? 0 : (f_V1 in l_V0))) + + +function M_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_], s_V0: Multiset[D$226445f2_3e61b158_]): Bool + ensures result == ((linearFacts_3e61b158_F(l_V0) subset s_V0) && (persistentFacts_3e61b158_F(l_V0) subset s_V0)) +{ + (linearFacts_3e61b158_F(l_V0) subset s_V0) && (persistentFacts_3e61b158_F(l_V0) subset s_V0) +} + +function U_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_], r_V0: Multiset[D$226445f2_3e61b158_], s_V0: Multiset[D$226445f2_3e61b158_]): Multiset[D$226445f2_3e61b158_] + ensures result == ((s_V0 setminus linearFacts_3e61b158_F(l_V0)) union r_V0) + + +function InternalResp1L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(Setup_Resp_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0), LtK_Resp_3e61b158_F(sidR_V0, b_V0, kR_V0), LtpK_Resp_3e61b158_F(sidR_V0, a_V0, pkI_V0), PsK_Resp_3e61b158_F(sidR_V0, a_V0, b_V0, psk_V0), InFact_Resp_3e61b158_F(sidR_V0, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, epkI_V0, aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)))), mac1I_V0, mac2I_V0))) +} + +function InternalResp1A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(InFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, epkI_V0, aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)))), mac1I_V0, mac2I_V0))) +} + +function InternalResp1R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_1_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0))))), sidI_V0)) +} + +function InternalResp2L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_1_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0), FrFact_Resp_3e61b158_F(sidR_V0, ekR_V0), MAC_Resp_3e61b158_F(sidR_V0, mac1R_V0), MAC_Resp_3e61b158_F(sidR_V0, mac2R_V0)) +} + +function InternalResp2A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0)))))), SendSIDR_2716b91c_F(sidR_V0), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0), aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalResp2R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_2_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0))), OutFact_Resp_3e61b158_F(sidR_V0, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0), aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalResp3L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_2_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), InFact_Resp_3e61b158_F(sidR_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, n_V0, aead_d2674021_F(kIR_V0, n_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp3A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(ReceivedFirstResp_2716b91c_F(sidR_V0, sidI_V0, a_V0, b_V0, kIR_V0, kRI_V0, p_V0), Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kIR_V0, kRI_V0)))), Secret_2716b91c_F(a_V0, b_V0, pair_1186dc0d_F(kIR_V0, kRI_V0)), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, n_V0, aead_d2674021_F(kIR_V0, n_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp3R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0)) +} + +function InternalResp4L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), Counter_Resp_3e61b158_F(sidR_V0, nRI_V0), Message_Resp_3e61b158_F(sidR_V0, p_V0)) +} + +function InternalResp4A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SentRespLoop_2716b91c_F(sidR_V0, sidI_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDI_2716b91c_F(sidI_V0), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp4R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), OutFact_Resp_3e61b158_F(sidR_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp5L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), InFact_Resp_3e61b158_F(sidR_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp5A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(ReceivedRespLoop_2716b91c_F(sidR_V0, sidI_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDI_2716b91c_F(sidI_V0), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp5R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0)) +} + +function InternalInit1L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(Setup_Init_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0), LtK_Init_3e61b158_F(sidI_V0, a_V0, kI_V0), LtpK_Init_3e61b158_F(sidI_V0, b_V0, pkR_V0), PsK_Init_3e61b158_F(sidI_V0, a_V0, b_V0, psk_V0), FrFact_Init_3e61b158_F(sidI_V0, ekI_V0), Timestamp_Init_3e61b158_F(sidI_V0, timestamp_V0), MAC_Init_3e61b158_F(sidI_V0, mac1I_V0), MAC_Init_3e61b158_F(sidI_V0, mac2I_V0)) +} + +function InternalInit1A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SendSIDI_2716b91c_F(sidI_V0), OutFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))))), mac1I_V0, mac2I_V0))) +} + +function InternalInit1R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_1_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))))))), OutFact_Init_3e61b158_F(sidI_V0, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))))), mac1I_V0, mac2I_V0))) +} + +function InternalInit2L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_1_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0), InFact_Init_3e61b158_F(sidI_V0, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, epkR_V0, aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, epkR_V0), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalInit2A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)))))), Secret_2716b91c_F(a_V0, b_V0, pair_1186dc0d_F(kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)))), InFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, epkR_V0, aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, epkR_V0), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalInit2R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_2_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)))) +} + +function InternalInit3L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_2_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), Message_Init_3e61b158_F(sidI_V0, p_V0)) +} + +function InternalInit3A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SentFirstInit_2716b91c_F(sidI_V0, sidR_V0, a_V0, b_V0, kIR_V0, kRI_V0, p_V0), Running_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kIR_V0, kRI_V0)))), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_d2674021_F(kIR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit3R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), OutFact_Init_3e61b158_F(sidI_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_d2674021_F(kIR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit4L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), Counter_Init_3e61b158_F(sidI_V0, nIR_V0), Message_Init_3e61b158_F(sidI_V0, p_V0)) +} + +function InternalInit4A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SentInitLoop_2716b91c_F(sidI_V0, sidR_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDR_2716b91c_F(sidR_V0), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit4R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), OutFact_Init_3e61b158_F(sidI_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit5L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), InFact_Init_3e61b158_F(sidI_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit5A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(ReceivedInitLoop_2716b91c_F(sidI_V0, sidR_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDR_2716b91c_F(sidR_V0), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit5R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0)) +} + +function get_e_Handshake_St_Init_1_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, psk_V0, ekI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Handshake_St_Init_2_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0, sidR_V0, epkR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Send_First_Init_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Send_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Receive_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, x_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_OutFact_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, new_x_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V0), write) + + +function get_e_LtK_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtK_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtK_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtpK_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtpK_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtpK_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_r3_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_FrFact_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_FrFact_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Timestamp_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Timestamp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Timestamp_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Timestamp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_MAC_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_MAC_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_InFact_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_InFact_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Message_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Message_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Counter_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Counter_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Init_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Init_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Init_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Resp_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Resp_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Resp_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Handshake_St_Resp_1_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, kR_V0, pkI_V0, psk_V0, sidI_V0, epkI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Handshake_St_Resp_2_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0, ekR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Receive_First_Resp_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, n_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Send_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Receive_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function Size_c7a67a88_F(b_V0: Slice[Ref]): Int + requires acc(Mem_c7a67a88_F(b_V0), wildcard) + ensures result >= 0 && result == (slen(b_V0): Int) + + +function IsEqual_c7a67a88_F(b1_V0: Slice[Ref], b2_V0: Slice[Ref]): Bool + requires acc(Mem_c7a67a88_F(b1_V0), 1 / 200) && acc(Mem_c7a67a88_F(b2_V0), 1 / 200) + ensures result == (Abs_c7a67a88_F(b1_V0) == Abs_c7a67a88_F(b2_V0)) + + +function Abs_c7a67a88_F(b_V0: Slice[Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(Mem_c7a67a88_F(b_V0), wildcard) + ensures Size_c7a67a88_F(b_V0) == 0 ==> result == zeroStringB_b3aa12e7_F(0) + + +function SafeAbs_c7a67a88_F(b_V0: Slice[Ref], l_V0: Int): D$8d64a7ad_b3aa12e7_ + requires !(b_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(b_V0), wildcard) + ensures (!(b_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> result == Abs_c7a67a88_F(b_V0)) && (!!(b_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> result == zeroStringB_b3aa12e7_F(l_V0)) + + +function RequestMac1_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(RequestMem_c7a67a88_F(request_V0), wildcard) + ensures result == (unfolding acc(RequestMem_c7a67a88_F(request_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref, 16)) + + +function RequestMac2_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(RequestMem_c7a67a88_F(request_V0), wildcard) + ensures result == (unfolding acc(RequestMem_c7a67a88_F(request_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref, 16)) + + +function RequestAbs_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(RequestMem_c7a67a88_F(request_V0), wildcard) + ensures result == (unfolding acc(RequestMem_c7a67a88_F(request_V0), wildcard) in tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of7(request_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of7(request_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget2of7(request_V0): Ref).val$_Slice_Ref), Abs_c7a67a88_F((ShStructget3of7(request_V0): Ref).val$_Slice_Ref), Abs_c7a67a88_F((ShStructget4of7(request_V0): Ref).val$_Slice_Ref), SafeAbs_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref, 16), SafeAbs_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref, 16))) + + +function ResponseEpkR_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) + ensures result == (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in Abs_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref)) + + +function ResponseMac1_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) + ensures result == (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref, 16)) + + +function ResponseMac2_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) + ensures result == (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref, 16)) + + +function ResponseAbs_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) +{ + (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of7(response_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of7(response_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget2of7(response_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref), Abs_c7a67a88_F((ShStructget4of7(response_V0): Ref).val$_Slice_Ref), SafeAbs_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref, 16), SafeAbs_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref, 16))) +} + +function ConnectionKIR_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in Abs_c7a67a88_F((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref)) + + +function ConnectionKRI_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in Abs_c7a67a88_F((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref)) + + +function ConnectionSidI_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in integer32B_b3aa12e7_F((ShStructget3of4(conn_V0): Ref).val$_Int)) + + +function ConnectionNonce_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in integer64B_b3aa12e7_F((ShStructget0of4(conn_V0): Ref).val$_Int)) + + +function ConnectionNonceVal_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): Int + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in (ShStructget0of4(conn_V0): Ref).val$_Int) + + +function Bytes_pkI_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), kI_V0) +} + +function Bytes_epkI_35781e6d_F(ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), ekI_V0) +} + +function Bytes_c0_35781e6d_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB__b3aa12e7_F(infoBytesB_b3aa12e7_F()) +} + +function Bytes_h0_35781e6d_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_c0_35781e6d_F(), prologueBytesB_b3aa12e7_F()) +} + +function Bytes_h1_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h0_35781e6d_F(), pkR_V0) +} + +function Bytes_c1_35781e6d_F(ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c0_35781e6d_F(), Bytes_epkI_35781e6d_F(ekI_V0)) +} + +function Bytes_h2_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h1_35781e6d_F(pkR_V0), Bytes_epkI_35781e6d_F(ekI_V0)) +} + +function Bytes_c2_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c1_35781e6d_F(ekI_V0), expB_b3aa12e7_F(pkR_V0, ekI_V0)) +} + +function Bytes_k1_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c1_35781e6d_F(ekI_V0), expB_b3aa12e7_F(pkR_V0, ekI_V0)) +} + +function Bytes_c_pkI_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k1_35781e6d_F(pkR_V0, ekI_V0), zeroStringB_b3aa12e7_F(12), Bytes_pkI_35781e6d_F(kI_V0), Bytes_h2_35781e6d_F(pkR_V0, ekI_V0)) +} + +function Bytes_h3_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h2_35781e6d_F(pkR_V0, ekI_V0), Bytes_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Bytes_c3_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c2_35781e6d_F(pkR_V0, ekI_V0), expB_b3aa12e7_F(pkR_V0, kI_V0)) +} + +function Bytes_k2_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c2_35781e6d_F(pkR_V0, ekI_V0), expB_b3aa12e7_F(pkR_V0, kI_V0)) +} + +function Bytes_c_ts_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k2_35781e6d_F(kI_V0, pkR_V0, ekI_V0), zeroStringB_b3aa12e7_F(12), ts_V0, Bytes_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Bytes_h4_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Bytes_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0)) +} + +function Bytes_M1_35781e6d_F(sidI_V0: D$8d64a7ad_b3aa12e7_, kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(1), sidI_V0, Bytes_epkI_35781e6d_F(ekI_V0), Bytes_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Bytes_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Bytes_c4_35781e6d_F(c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(c3_V0, epkR_V0) +} + +function Bytes_h5_35781e6d_F(h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(h4_V0, epkR_V0) +} + +function Bytes_c5_35781e6d_F(ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c4_35781e6d_F(c3_V0, epkR_V0), expB_b3aa12e7_F(epkR_V0, ekI_V0)) +} + +function Bytes_c6_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c5_35781e6d_F(ekI_V0, c3_V0, epkR_V0), expB_b3aa12e7_F(epkR_V0, kI_V0)) +} + +function Bytes_c7_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Bytes_pi_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Bytes_k3_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf3B_b3aa12e7_F(Bytes_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Bytes_h6_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h5_35781e6d_F(h4_V0, epkR_V0), Bytes_pi_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Bytes_c_empty_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k3_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0), zeroStringB_b3aa12e7_F(12), zeroStringB_b3aa12e7_F(0), Bytes_h6_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0)) +} + +function Bytes_M2_35781e6d_F(sidI_V0: D$8d64a7ad_b3aa12e7_, sidR_V0: D$8d64a7ad_b3aa12e7_, kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(2), sidR_V0, sidI_V0, epkR_V0, Bytes_c_empty_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0), mac1_V0, mac2_V0) +} + +function Bytes_k_IR_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B__b3aa12e7_F(Bytes_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Bytes_k_RI_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B__b3aa12e7_F(Bytes_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Term_pkI_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), kI_V0) +} + +function Term_epkI_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), ekI_V0) +} + +function Term_c0_35781e6d_F(): D$9084e2f5_1186dc0d_ +{ + hash__d2674021_F(infoTerm_d2674021_F()) +} + +function Term_h0_35781e6d_F(): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_c0_35781e6d_F(), prologueTerm_d2674021_F()) +} + +function Term_h1_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h0_35781e6d_F(), pkR_V0) +} + +function Term_c1_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c0_35781e6d_F(), Term_epkI_35781e6d_F(ekI_V0)) +} + +function Term_h2_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h1_35781e6d_F(pkR_V0), Term_epkI_35781e6d_F(ekI_V0)) +} + +function Term_c2_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c1_35781e6d_F(ekI_V0), exp_d2674021_F(pkR_V0, ekI_V0)) +} + +function Term_k1_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c1_35781e6d_F(ekI_V0), exp_d2674021_F(pkR_V0, ekI_V0)) +} + +function Term_c_pkI_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k1_35781e6d_F(pkR_V0, ekI_V0), zeroString_d2674021_F(12), Term_pkI_35781e6d_F(kI_V0), Term_h2_35781e6d_F(pkR_V0, ekI_V0)) +} + +function Term_h3_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h2_35781e6d_F(pkR_V0, ekI_V0), Term_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Term_c3_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c2_35781e6d_F(pkR_V0, ekI_V0), exp_d2674021_F(pkR_V0, kI_V0)) +} + +function Term_k2_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c2_35781e6d_F(pkR_V0, ekI_V0), exp_d2674021_F(pkR_V0, kI_V0)) +} + +function Term_c_ts_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k2_35781e6d_F(kI_V0, pkR_V0, ekI_V0), zeroString_d2674021_F(12), ts_V0, Term_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Term_h4_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Term_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0)) +} + +function Term_M1_35781e6d_F(sidI_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(1), sidI_V0, Term_epkI_35781e6d_F(ekI_V0), Term_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Term_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Term_c4_35781e6d_F(c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(c3_V0, epkR_V0) +} + +function Term_h5_35781e6d_F(h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(h4_V0, epkR_V0) +} + +function Term_c5_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c4_35781e6d_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)) +} + +function Term_c5_lin_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c4_35781e6d_F(c3_V0, epkR1_V0), exp_d2674021_F(epkR2_V0, ekI_V0)) +} + +function Term_c6_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c5_35781e6d_F(ekI_V0, c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, kI_V0)) +} + +function Term_c6_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c5_lin_35781e6d_F(ekI_V0, c3_V0, epkR1_V0, epkR2_V0), exp_d2674021_F(epkR3_V0, kI_V0)) +} + +function Term_c7_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Term_pi_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Term_pi_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c6_lin_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR1_V0, epkR2_V0, epkR3_V0), psk_V0) +} + +function Term_k3_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf3_d2674021_F(Term_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Term_k3_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf3_d2674021_F(Term_c6_lin_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR1_V0, epkR2_V0, epkR3_V0), psk_V0) +} + +function Term_h6_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h5_35781e6d_F(h4_V0, epkR_V0), Term_pi_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Term_h6_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_, epkR4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h5_35781e6d_F(h4_V0, epkR1_V0), Term_pi_lin_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR2_V0, epkR3_V0, epkR4_V0)) +} + +function Term_c_empty_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k3_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0), zeroString_d2674021_F(12), zeroString_d2674021_F(0), Term_h6_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0)) +} + +function Term_c_empty_lin_35781e6d_F(kI1_V0: D$9084e2f5_1186dc0d_, kI2_V0: D$9084e2f5_1186dc0d_, psk1_V0: D$9084e2f5_1186dc0d_, psk2_V0: D$9084e2f5_1186dc0d_, ekI1_V0: D$9084e2f5_1186dc0d_, ekI2_V0: D$9084e2f5_1186dc0d_, c31_V0: D$9084e2f5_1186dc0d_, c32_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_, epkR4_V0: D$9084e2f5_1186dc0d_, epkR5_V0: D$9084e2f5_1186dc0d_, epkR6_V0: D$9084e2f5_1186dc0d_, epkR7_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k3_lin_35781e6d_F(kI1_V0, psk1_V0, ekI1_V0, c31_V0, epkR1_V0, epkR2_V0, epkR3_V0), zeroString_d2674021_F(12), zeroString_d2674021_F(0), Term_h6_lin_35781e6d_F(kI2_V0, psk2_V0, ekI2_V0, c32_V0, h4_V0, epkR4_V0, epkR5_V0, epkR6_V0, epkR7_V0)) +} + +function Term_M2_35781e6d_F(sidI_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(2), sidR_V0, sidI_V0, epkR_V0, Term_c_empty_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0), mac1_V0, mac2_V0) +} + +function Term_M2_lin_35781e6d_F(sidI_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kI1_V0: D$9084e2f5_1186dc0d_, kI2_V0: D$9084e2f5_1186dc0d_, psk1_V0: D$9084e2f5_1186dc0d_, psk2_V0: D$9084e2f5_1186dc0d_, ekI1_V0: D$9084e2f5_1186dc0d_, ekI2_V0: D$9084e2f5_1186dc0d_, c31_V0: D$9084e2f5_1186dc0d_, c32_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_, epkR4_V0: D$9084e2f5_1186dc0d_, epkR5_V0: D$9084e2f5_1186dc0d_, epkR6_V0: D$9084e2f5_1186dc0d_, epkR7_V0: D$9084e2f5_1186dc0d_, epkR8_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(2), sidR_V0, sidI_V0, epkR1_V0, Term_c_empty_lin_35781e6d_F(kI1_V0, kI2_V0, psk1_V0, psk2_V0, ekI1_V0, ekI2_V0, c31_V0, c32_V0, h4_V0, epkR2_V0, epkR3_V0, epkR4_V0, epkR5_V0, epkR6_V0, epkR7_V0, epkR8_V0), mac1_V0, mac2_V0) +} + +function Term_k_IR_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1__d2674021_F(Term_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Term_k_RI_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2__d2674021_F(Term_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Bytes_pkR_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), kR_V0) +} + +function Bytes_epkR_68d987ee_F(ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), ekR_V0) +} + +function Bytes_c0_68d987ee_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB__b3aa12e7_F(infoBytesB_b3aa12e7_F()) +} + +function Bytes_h0_68d987ee_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_c0_68d987ee_F(), prologueBytesB_b3aa12e7_F()) +} + +function Bytes_h1_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h0_68d987ee_F(), Bytes_pkR_68d987ee_F(kR_V0)) +} + +function Bytes_c1_68d987ee_F(epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c0_68d987ee_F(), epkI_V0) +} + +function Bytes_h2_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h1_68d987ee_F(kR_V0), epkI_V0) +} + +function Bytes_c2_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c1_68d987ee_F(epkI_V0), expB_b3aa12e7_F(epkI_V0, kR_V0)) +} + +function Bytes_k1_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c1_68d987ee_F(epkI_V0), expB_b3aa12e7_F(epkI_V0, kR_V0)) +} + +function Bytes_c_pkI_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k1_68d987ee_F(kR_V0, epkI_V0), zeroStringB_b3aa12e7_F(12), pkI_V0, Bytes_h2_68d987ee_F(kR_V0, epkI_V0)) +} + +function Bytes_h3_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h2_68d987ee_F(kR_V0, epkI_V0), Bytes_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Bytes_c3_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c2_68d987ee_F(kR_V0, epkI_V0), expB_b3aa12e7_F(pkI_V0, kR_V0)) +} + +function Bytes_k2_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c2_68d987ee_F(kR_V0, epkI_V0), expB_b3aa12e7_F(pkI_V0, kR_V0)) +} + +function Bytes_c_ts_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k2_68d987ee_F(kR_V0, pkI_V0, epkI_V0), zeroStringB_b3aa12e7_F(12), ts_V0, Bytes_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Bytes_h4_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Bytes_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0)) +} + +function Bytes_M1_68d987ee_F(sidI_V0: D$8d64a7ad_b3aa12e7_, kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(1), sidI_V0, epkI_V0, Bytes_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Bytes_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Bytes_c4_68d987ee_F(c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(c3_V0, Bytes_epkR_68d987ee_F(ekR_V0)) +} + +function Bytes_h5_68d987ee_F(h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(h4_V0, Bytes_epkR_68d987ee_F(ekR_V0)) +} + +function Bytes_c5_68d987ee_F(epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c4_68d987ee_F(c3_V0, ekR_V0), expB_b3aa12e7_F(epkI_V0, ekR_V0)) +} + +function Bytes_c6_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c5_68d987ee_F(epkI_V0, c3_V0, ekR_V0), expB_b3aa12e7_F(pkI_V0, ekR_V0)) +} + +function Bytes_c7_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Bytes_pi_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Bytes_k3_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf3B_b3aa12e7_F(Bytes_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Bytes_h6_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h5_68d987ee_F(h4_V0, ekR_V0), Bytes_pi_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Bytes_c_empty_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k3_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0), zeroStringB_b3aa12e7_F(12), zeroStringB_b3aa12e7_F(0), Bytes_h6_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0)) +} + +function Bytes_M2_68d987ee_F(sidI_V0: D$8d64a7ad_b3aa12e7_, sidR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(2), sidR_V0, sidI_V0, Bytes_epkR_68d987ee_F(ekR_V0), Bytes_c_empty_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0), mac1_V0, mac2_V0) +} + +function Bytes_k_IR_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B__b3aa12e7_F(Bytes_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Bytes_k_RI_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B__b3aa12e7_F(Bytes_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Term_pkR_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), kR_V0) +} + +function Term_epkR_68d987ee_F(ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), ekR_V0) +} + +function Term_c0_68d987ee_F(): D$9084e2f5_1186dc0d_ +{ + hash__d2674021_F(infoTerm_d2674021_F()) +} + +function Term_h0_68d987ee_F(): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_c0_68d987ee_F(), prologueTerm_d2674021_F()) +} + +function Term_h1_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h0_68d987ee_F(), Term_pkR_68d987ee_F(kR_V0)) +} + +function Term_c1_68d987ee_F(epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c0_68d987ee_F(), epkI_V0) +} + +function Term_h2_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h1_68d987ee_F(kR_V0), epkI_V0) +} + +function Term_c2_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c1_68d987ee_F(epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)) +} + +function Term_c2_lin_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c1_68d987ee_F(epkI1_V0), exp_d2674021_F(epkI2_V0, kR_V0)) +} + +function Term_k1_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c1_68d987ee_F(epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)) +} + +function Term_k1_lin_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c1_68d987ee_F(epkI1_V0), exp_d2674021_F(epkI2_V0, kR_V0)) +} + +function Term_c_pkI_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k1_68d987ee_F(kR_V0, epkI_V0), zeroString_d2674021_F(12), pkI_V0, Term_h2_68d987ee_F(kR_V0, epkI_V0)) +} + +function Term_c_pkI_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k1_lin_68d987ee_F(kR1_V0, epkI1_V0, epkI2_V0), zeroString_d2674021_F(12), pkI_V0, Term_h2_68d987ee_F(kR2_V0, epkI3_V0)) +} + +function Term_h3_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h2_68d987ee_F(kR_V0, epkI_V0), Term_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Term_h3_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, kR3_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_, epkI4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h2_68d987ee_F(kR1_V0, epkI1_V0), Term_c_pkI_lin_68d987ee_F(kR2_V0, kR3_V0, pkI_V0, epkI2_V0, epkI3_V0, epkI4_V0)) +} + +function Term_c3_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c2_68d987ee_F(kR_V0, epkI_V0), exp_d2674021_F(pkI_V0, kR_V0)) +} + +function Term_k2_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c2_68d987ee_F(kR_V0, epkI_V0), exp_d2674021_F(pkI_V0, kR_V0)) +} + +function Term_k2_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c2_lin_68d987ee_F(kR1_V0, epkI1_V0, epkI2_V0), exp_d2674021_F(pkI_V0, kR2_V0)) +} + +function Term_c_ts_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k2_68d987ee_F(kR_V0, pkI_V0, epkI_V0), zeroString_d2674021_F(12), ts_V0, Term_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Term_c_ts_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, kR3_V0: D$9084e2f5_1186dc0d_, kR4_V0: D$9084e2f5_1186dc0d_, kR5_V0: D$9084e2f5_1186dc0d_, pkI1_V0: D$9084e2f5_1186dc0d_, pkI2_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_, epkI4_V0: D$9084e2f5_1186dc0d_, epkI5_V0: D$9084e2f5_1186dc0d_, epkI6_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k2_lin_68d987ee_F(kR1_V0, kR2_V0, pkI1_V0, epkI1_V0, epkI2_V0), zeroString_d2674021_F(12), ts_V0, Term_h3_lin_68d987ee_F(kR3_V0, kR4_V0, kR5_V0, pkI2_V0, epkI3_V0, epkI4_V0, epkI5_V0, epkI6_V0)) +} + +function Term_h4_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Term_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0)) +} + +function Term_M1_68d987ee_F(sidI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(1), sidI_V0, epkI_V0, Term_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Term_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Term_M1_lin_68d987ee_F(sidI_V0: D$9084e2f5_1186dc0d_, kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, kR3_V0: D$9084e2f5_1186dc0d_, kR4_V0: D$9084e2f5_1186dc0d_, kR5_V0: D$9084e2f5_1186dc0d_, kR6_V0: D$9084e2f5_1186dc0d_, kR7_V0: D$9084e2f5_1186dc0d_, pkI1_V0: D$9084e2f5_1186dc0d_, pkI2_V0: D$9084e2f5_1186dc0d_, pkI3_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_, epkI4_V0: D$9084e2f5_1186dc0d_, epkI5_V0: D$9084e2f5_1186dc0d_, epkI6_V0: D$9084e2f5_1186dc0d_, epkI7_V0: D$9084e2f5_1186dc0d_, epkI8_V0: D$9084e2f5_1186dc0d_, epkI9_V0: D$9084e2f5_1186dc0d_, epkI10_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(1), sidI_V0, epkI1_V0, Term_c_pkI_lin_68d987ee_F(kR1_V0, kR2_V0, pkI1_V0, epkI2_V0, epkI3_V0, epkI4_V0), Term_c_ts_lin_68d987ee_F(kR3_V0, kR4_V0, kR5_V0, kR6_V0, kR7_V0, pkI2_V0, pkI3_V0, epkI5_V0, epkI6_V0, epkI7_V0, epkI8_V0, epkI9_V0, epkI10_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Term_c4_68d987ee_F(c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(c3_V0, Term_epkR_68d987ee_F(ekR_V0)) +} + +function Term_h5_68d987ee_F(h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(h4_V0, Term_epkR_68d987ee_F(ekR_V0)) +} + +function Term_c5_68d987ee_F(epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c4_68d987ee_F(c3_V0, ekR_V0), exp_d2674021_F(epkI_V0, ekR_V0)) +} + +function Term_c6_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c5_68d987ee_F(epkI_V0, c3_V0, ekR_V0), exp_d2674021_F(pkI_V0, ekR_V0)) +} + +function Term_c7_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Term_pi_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Term_k3_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf3_d2674021_F(Term_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Term_h6_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h5_68d987ee_F(h4_V0, ekR_V0), Term_pi_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Term_c_empty_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k3_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0), zeroString_d2674021_F(12), zeroString_d2674021_F(0), Term_h6_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0)) +} + +function Term_M2_68d987ee_F(sidI_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(2), sidR_V0, sidI_V0, Term_epkR_68d987ee_F(ekR_V0), Term_c_empty_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0), mac1_V0, mac2_V0) +} + +function Term_k_IR_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1__d2674021_F(Term_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Term_k_RI_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2__d2674021_F(Term_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +predicate HandshakeMem_1605c048_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(hs_V0): Ref).val$_Int, write) && acc((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref) == 32) +} + +predicate InitiatorMem_1605c048_F(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]) { + true && (acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), write) && acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), write) && acc((ShStructget2of4(initiator_V0): Ref).val$_Int, write) && acc((ShStructget3of4(initiator_V0): Ref).val$_Int, write)) +} + +predicate ErrorMem_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +predicate token_c3672ae3_F(t_V0: D$fe170ee1_c3672ae3_) + +predicate e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Send_First_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_OutFact_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, new_x_V0: D$9084e2f5_1186dc0d_) + +predicate P_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(phiR_Resp_0_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_1_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_2_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_3_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_4_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRG_Resp_5_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_6_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_7_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_8_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_9_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_10_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_11_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_12_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_13_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_14_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write)) +} + +predicate phiR_Resp_0_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Resp_3e61b158_F(sidR_V1, b_V1, kR_V1), LtpK_Resp_3e61b158_F(sidR_V1, a_V1, pkI_V1), PsK_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, psk_V1), InFact_Resp_3e61b158_F(sidR_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_ap_V1 == Multiset(InFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))))), sidI_V1)) ==> acc(e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Resp_3e61b158_F(sidR_V1, b_V1, kR_V1), LtpK_Resp_3e61b158_F(sidR_V1, a_V1, pkI_V1), PsK_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, psk_V1), InFact_Resp_3e61b158_F(sidR_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_ap_V1 == Multiset(InFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))))), sidI_V1)) ==> acc(P_Resp_c0f0ff6b_F(get_e_Handshake_St_Resp_1_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, ekR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1), FrFact_Resp_3e61b158_F(sidR_V1, ekR_V1), MAC_Resp_3e61b158_F(sidR_V1, mac1R_V1), MAC_Resp_3e61b158_F(sidR_V1, mac2R_V1)) && tami_ap_V1 == Multiset(Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)))))), SendSIDR_2716b91c_F(sidR_V1), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), OutFact_Resp_3e61b158_F(sidR_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) ==> acc(e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, ekR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1), FrFact_Resp_3e61b158_F(sidR_V1, ekR_V1), MAC_Resp_3e61b158_F(sidR_V1, mac1R_V1), MAC_Resp_3e61b158_F(sidR_V1, mac2R_V1)) && tami_ap_V1 == Multiset(Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)))))), SendSIDR_2716b91c_F(sidR_V1), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), OutFact_Resp_3e61b158_F(sidR_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) ==> acc(P_Resp_c0f0ff6b_F(get_e_Handshake_St_Resp_2_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, n_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedFirstResp_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, n_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedFirstResp_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(P_Resp_c0f0ff6b_F(get_e_Receive_First_Resp_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_3_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), Counter_Resp_3e61b158_F(sidR_V1, nRI_V1), Message_Resp_3e61b158_F(sidR_V1, p_V1)) && tami_ap_V1 == Multiset(SentRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), OutFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), Counter_Resp_3e61b158_F(sidR_V1, nRI_V1), Message_Resp_3e61b158_F(sidR_V1, p_V1)) && tami_ap_V1 == Multiset(SentRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), OutFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(P_Resp_c0f0ff6b_F(get_e_Send_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_4_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(P_Resp_c0f0ff6b_F(get_e_Receive_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiRG_Resp_5_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), write)) && (forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(P_Resp_c0f0ff6b_F(get_e_OutFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), tami_rid_V0, (tami_s_V0 setminus Multiset(OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1)))), write))) +} + +predicate phiRF_Resp_6_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_LtK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtK_Resp_3e61b158_F(tami_rid_V0, get_e_LtK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_7_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_LtpK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtpK_Resp_3e61b158_F(tami_rid_V0, get_e_LtpK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtpK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_8_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_PsK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(PsK_Resp_3e61b158_F(tami_rid_V0, get_e_PsK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r3_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_9_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_InFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(InFact_Resp_3e61b158_F(tami_rid_V0, get_e_InFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_10_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_FrFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(FrFact_Resp_3e61b158_F(tami_rid_V0, get_e_FrFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_11_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_MAC_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(MAC_Resp_3e61b158_F(tami_rid_V0, get_e_MAC_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_12_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_Counter_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Counter_Resp_3e61b158_F(tami_rid_V0, get_e_Counter_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_13_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_Message_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Message_Resp_3e61b158_F(tami_rid_V0, get_e_Message_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_14_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_Setup_Resp_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Setup_Resp_3e61b158_F(tami_rid_V0, get_e_Setup_Resp_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_Setup_Resp_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), pubTerm_1186dc0d_F(const_p_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_i_pub_db7e1422_F()))))), write)) +} + +predicate e_LtK_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_LtpK_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_PsK_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_FrFact_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Timestamp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_MAC_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_InFact_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Message_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Counter_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Setup_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Setup_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate P_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(phiR_Init_0_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_1_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_2_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_3_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_4_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRG_Init_5_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_6_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_7_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_8_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_9_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_10_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_11_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_12_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_13_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_14_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_15_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write)) +} + +predicate phiR_Init_0_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Init_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Init_3e61b158_F(sidI_V1, a_V1, kI_V1), LtpK_Init_3e61b158_F(sidI_V1, b_V1, pkR_V1), PsK_Init_3e61b158_F(sidI_V1, a_V1, b_V1, psk_V1), FrFact_Init_3e61b158_F(sidI_V1, ekI_V1), Timestamp_Init_3e61b158_F(sidI_V1, timestamp_V1), MAC_Init_3e61b158_F(sidI_V1, mac1I_V1), MAC_Init_3e61b158_F(sidI_V1, mac2I_V1)) && tami_ap_V1 == Multiset(SendSIDI_2716b91c_F(sidI_V1), OutFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))))), OutFact_Init_3e61b158_F(sidI_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) ==> acc(e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Init_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Init_3e61b158_F(sidI_V1, a_V1, kI_V1), LtpK_Init_3e61b158_F(sidI_V1, b_V1, pkR_V1), PsK_Init_3e61b158_F(sidI_V1, a_V1, b_V1, psk_V1), FrFact_Init_3e61b158_F(sidI_V1, ekI_V1), Timestamp_Init_3e61b158_F(sidI_V1, timestamp_V1), MAC_Init_3e61b158_F(sidI_V1, mac1I_V1), MAC_Init_3e61b158_F(sidI_V1, mac2I_V1)) && tami_ap_V1 == Multiset(SendSIDI_2716b91c_F(sidI_V1), OutFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))))), OutFact_Init_3e61b158_F(sidI_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) ==> acc(P_Init_c0f0ff6b_F(get_e_Handshake_St_Init_1_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, epkR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1), InFact_Init_3e61b158_F(sidI_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_ap_V1 == Multiset(Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))), InFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))) ==> acc(e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, epkR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1), InFact_Init_3e61b158_F(sidI_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_ap_V1 == Multiset(Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))), InFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))) ==> acc(P_Init_c0f0ff6b_F(get_e_Handshake_St_Init_2_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentFirstInit_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Running_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentFirstInit_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Running_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(P_Init_c0f0ff6b_F(get_e_Send_First_Init_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_3_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Counter_Init_3e61b158_F(sidI_V1, nIR_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Counter_Init_3e61b158_F(sidI_V1, nIR_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(P_Init_c0f0ff6b_F(get_e_Send_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_4_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), InFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1)) ==> acc(e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), InFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1)) ==> acc(P_Init_c0f0ff6b_F(get_e_Receive_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiRG_Init_5_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), write)) && (forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(P_Init_c0f0ff6b_F(get_e_OutFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), tami_rid_V0, (tami_s_V0 setminus Multiset(OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1)))), write))) +} + +predicate phiRF_Init_6_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_LtK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtK_Init_3e61b158_F(tami_rid_V0, get_e_LtK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_7_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_LtpK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtpK_Init_3e61b158_F(tami_rid_V0, get_e_LtpK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtpK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_8_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_PsK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(PsK_Init_3e61b158_F(tami_rid_V0, get_e_PsK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r3_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_9_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_FrFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(FrFact_Init_3e61b158_F(tami_rid_V0, get_e_FrFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_10_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Timestamp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Timestamp_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Timestamp_Init_3e61b158_F(tami_rid_V0, get_e_Timestamp_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_11_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_MAC_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(MAC_Init_3e61b158_F(tami_rid_V0, get_e_MAC_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_12_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_InFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(InFact_Init_3e61b158_F(tami_rid_V0, get_e_InFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_13_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Message_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Message_Init_3e61b158_F(tami_rid_V0, get_e_Message_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_14_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Counter_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Counter_Init_3e61b158_F(tami_rid_V0, get_e_Counter_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_15_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Setup_Init_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Setup_Init_3e61b158_F(tami_rid_V0, get_e_Setup_Init_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_Setup_Init_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), pubTerm_1186dc0d_F(const_p_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_i_pub_db7e1422_F()))))), write)) +} + +predicate Mem_c7a67a88_F(b_V0: Slice[Ref]) + +predicate LibMem_c7a67a88_F(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) + +predicate RequestMem_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of7(request_V0): Ref).val$_Int, write) && acc((ShStructget1of7(request_V0): Ref).val$_Int, write) && acc((ShStructget2of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget5of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget6of7(request_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget2of7(request_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget3of7(request_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of7(request_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget2of7(request_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget3of7(request_V0): Ref).val$_Slice_Ref) == 48 && Size_c7a67a88_F((ShStructget4of7(request_V0): Ref).val$_Slice_Ref) == 28 && (!((ShStructget5of7(request_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref) == 16) && (!((ShStructget6of7(request_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref) == 16)) +} + +predicate ResponseMem_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of7(response_V0): Ref).val$_Int, write) && acc((ShStructget1of7(response_V0): Ref).val$_Int, write) && acc((ShStructget2of7(response_V0): Ref).val$_Int, write) && acc((ShStructget3of7(response_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of7(response_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget5of7(response_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget6of7(response_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of7(response_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget4of7(response_V0): Ref).val$_Slice_Ref) == 16 && (!((ShStructget5of7(response_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref) == 16) && (!((ShStructget6of7(response_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref) == 16)) +} + +predicate ConnectionMem_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of4(conn_V0): Ref).val$_Int, write) && acc((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of4(conn_V0): Ref).val$_Int, write) && acc(Mem_c7a67a88_F((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref) == 32) +} + +predicate HandshakeArgsMem_c7a67a88_F(args_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of5(args_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(args_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(args_V0): Ref).val$_Int, write) && acc((ShStructget3of5(args_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of5(args_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget0of5(args_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget1of5(args_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget3of5(args_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of5(args_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget0of5(args_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget1of5(args_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget3of5(args_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget4of5(args_V0): Ref).val$_Slice_Ref) == 32 && Abs_c7a67a88_F((ShStructget3of5(args_V0): Ref).val$_Slice_Ref) == expB_b3aa12e7_F(generatorB_b3aa12e7_F(), Abs_c7a67a88_F((ShStructget1of5(args_V0): Ref).val$_Slice_Ref))) +} + +predicate patternRequirement1EPKRWitness_8142c2d2_F(t_V0: D$9084e2f5_1186dc0d_) + +predicate patternRequirement3EPKIWitness_8142c2d2_F(t_V0: D$9084e2f5_1186dc0d_) + +predicate patternRequirement4NonceWitness_8142c2d2_F(t_V0: D$9084e2f5_1186dc0d_) + +method RunInitiator_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], sid_V0: Int, a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), write) && (true && acc((ShStructget0of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int, write) && acc((ShStructget3of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget4of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write)) && acc((ShStructget2of4(initiator_V0): Ref).val$_Int, write) && acc((ShStructget3of4(initiator_V0): Ref).val$_Int, write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0)), Multiset[D$226445f2_3e61b158_]()), write) + requires !(sid_V0 == 1) && !(sid_V0 == 2) && !(sid_V0 == 4) +{ + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, sid_V0_CN1: uint32°, a_V0_CN2: uint32°, b_V0_CN3: uint32°, t_V0_CN4: Place_c3672ae3_T° + var t_V0_CN4: D$fe170ee1_c3672ae3_ + var b_V0_CN3: Int + var a_V0_CN2: Int + var sid_V0_CN1: Int + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init sid_V0_CN1 + inhale sid_V0_CN1 == 0 + + // init a_V0_CN2 + inhale a_V0_CN2 == 0 + + // init b_V0_CN3 + inhale b_V0_CN3 == 0 + + // init t_V0_CN4 + inhale t_V0_CN4 == dfltD$fe170ee1_c3672ae3_() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // sid_V0_CN1 = sid_V0 + sid_V0_CN1 := sid_V0 + + // a_V0_CN2 = a_V0 + a_V0_CN2 := a_V0 + + // b_V0_CN3 = b_V0 + b_V0_CN3 := b_V0 + + // t_V0_CN4 = t_V0 + t_V0_CN4 := t_V0 + + // decl N7: bool°, N8: Term_1186dc0d_T°, N9: Term_1186dc0d_T°, N10: Term_1186dc0d_T°, N11: Place_c3672ae3_T°, N12: mset[Fact_3e61b158_T]°, ok_V1: bool°, pskT_V1: Term_1186dc0d_T°, ltkT_V1: Term_1186dc0d_T°, ltpkT_V1: Term_1186dc0d_T°, t1_V1: Place_c3672ae3_T°, s1_V1: mset[Fact_3e61b158_T]°, sidRT_V1: Term_1186dc0d_T°, kirT_V1: Term_1186dc0d_T°, kriT_V1: Term_1186dc0d_T°, N13: *Connection_c7a67a88_T°, N14: bool°, N15: Term_1186dc0d_T°, N16: Term_1186dc0d_T°, N17: Term_1186dc0d_T°, N18: Place_c3672ae3_T°, N19: mset[Fact_3e61b158_T]°, keypair_V1: *Connection_c7a67a88_T°, t2_V1: Place_c3672ae3_T°, s2_V1: mset[Fact_3e61b158_T]° + var s2_V1: Multiset[D$226445f2_3e61b158_] + var t2_V1: D$fe170ee1_c3672ae3_ + var keypair_V1: ShStruct4[Ref, Ref, Ref, Ref] + var N19: Multiset[D$226445f2_3e61b158_] + var N18: D$fe170ee1_c3672ae3_ + var N17: D$9084e2f5_1186dc0d_ + var N16: D$9084e2f5_1186dc0d_ + var N15: D$9084e2f5_1186dc0d_ + var N14: Bool + var N13: ShStruct4[Ref, Ref, Ref, Ref] + var kriT_V1: D$9084e2f5_1186dc0d_ + var kirT_V1: D$9084e2f5_1186dc0d_ + var sidRT_V1: D$9084e2f5_1186dc0d_ + var s1_V1: Multiset[D$226445f2_3e61b158_] + var t1_V1: D$fe170ee1_c3672ae3_ + var ltpkT_V1: D$9084e2f5_1186dc0d_ + var ltkT_V1: D$9084e2f5_1186dc0d_ + var pskT_V1: D$9084e2f5_1186dc0d_ + var ok_V1: Bool + var N12: Multiset[D$226445f2_3e61b158_] + var N11: D$fe170ee1_c3672ae3_ + var N10: D$9084e2f5_1186dc0d_ + var N9: D$9084e2f5_1186dc0d_ + var N8: D$9084e2f5_1186dc0d_ + var N7: Bool + + // N7, N8, N9, N10, N11, N12 = initiator_V0_CN0getInitialState(sid_V0_CN1, a_V0_CN2, b_V0_CN3, t_V0_CN4) + N7, N8, N9, N10, N11, N12 := getInitialState_1605c048_PMInitiator(initiator_V0_CN0, sid_V0_CN1, a_V0_CN2, b_V0_CN3, t_V0_CN4) + + // init ok_V1 + inhale ok_V1 == false + + // init pskT_V1 + inhale pskT_V1 == dfltD$9084e2f5_1186dc0d_() + + // init ltkT_V1 + inhale ltkT_V1 == dfltD$9084e2f5_1186dc0d_() + + // init ltpkT_V1 + inhale ltpkT_V1 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V1 + inhale t1_V1 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V1 + inhale s1_V1 == Multiset[D$226445f2_3e61b158_]() + + // ok_V1 = N7 + ok_V1 := N7 + + // pskT_V1 = N8 + pskT_V1 := N8 + + // ltkT_V1 = N9 + ltkT_V1 := N9 + + // ltpkT_V1 = N10 + ltpkT_V1 := N10 + + // t1_V1 = N11 + t1_V1 := N11 + + // s1_V1 = N12 + s1_V1 := N12 + + // if(!ok_V1) {...} else {...} + if (!ok_V1) { + + // decl + + // return + goto returnLabel + } + + // init sidRT_V1 + inhale sidRT_V1 == dfltD$9084e2f5_1186dc0d_() + + // init kirT_V1 + inhale kirT_V1 == dfltD$9084e2f5_1186dc0d_() + + // init kriT_V1 + inhale kriT_V1 == dfltD$9084e2f5_1186dc0d_() + + // sidRT_V1 = dflt[Term_1186dc0d_T] + sidRT_V1 := dfltD$9084e2f5_1186dc0d_() + + // kirT_V1 = dflt[Term_1186dc0d_T] + kirT_V1 := dfltD$9084e2f5_1186dc0d_() + + // kriT_V1 = dflt[Term_1186dc0d_T] + kriT_V1 := dfltD$9084e2f5_1186dc0d_() + + // N13, N14, N15, N16, N17, N18, N19 = initiator_V0_CN0runHandshake(pskT_V1, ltkT_V1, ltpkT_V1, t1_V1, s1_V1) + N13, N14, N15, N16, N17, N18, N19 := runHandshake_1605c048_PMInitiator(initiator_V0_CN0, pskT_V1, ltkT_V1, ltpkT_V1, t1_V1, s1_V1) + + // init keypair_V1 + inhale keypair_V1 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init t2_V1 + inhale t2_V1 == dfltD$fe170ee1_c3672ae3_() + + // init s2_V1 + inhale s2_V1 == Multiset[D$226445f2_3e61b158_]() + + // keypair_V1 = N13 + keypair_V1 := N13 + + // ok_V1 = N14 + ok_V1 := N14 + + // sidRT_V1 = N15 + sidRT_V1 := N15 + + // kirT_V1 = N16 + kirT_V1 := N16 + + // kriT_V1 = N17 + kriT_V1 := N17 + + // t2_V1 = N18 + t2_V1 := N18 + + // s2_V1 = N19 + s2_V1 := N19 + + // if(!ok_V1) {...} else {...} + if (!ok_V1) { + + // decl + + // return + goto returnLabel + } + + // go initiator_V0_CN0.forwardPackets(keypair_V1, sidRT_V1, kirT_V1, kriT_V1, t2_V1, s2_V1) + exhale true && (acc(InitiatorMem_1605c048_F(initiator_V0_CN0), write) && acc(ConnectionMem_c7a67a88_F(keypair_V1), write)) && (acc(token_c3672ae3_F(t2_V1), write) && acc(P_Init_c0f0ff6b_F(t2_V1, getRid_1605c048_PMInitiator(initiator_V0_CN0), s2_V1), write)) && ConnectionKIR_c7a67a88_F(keypair_V1) == gamma_b3aa12e7_F(kirT_V1) && ConnectionKRI_c7a67a88_F(keypair_V1) == gamma_b3aa12e7_F(kriT_V1) && ConnectionSidI_c7a67a88_F(keypair_V1) == gamma_b3aa12e7_F(sidRT_V1) && ConnectionNonceVal_c7a67a88_F(keypair_V1) == 0 && 0 < ((St_Init_2_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0_CN0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), sidRT_V1, kirT_V1, kriT_V1) in s2_V1)) + label returnLabel +} + +method getInitialState_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], sid_V0: Int, a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_) returns (ok_V0: Bool, pskT_V0: D$9084e2f5_1186dc0d_, ltkT_V0: D$9084e2f5_1186dc0d_, ltpkT_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), write) && (true && acc((ShStructget0of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int, write) && acc((ShStructget3of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget4of5((ShStructget1of4(initiator_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write)) && acc((ShStructget2of4(initiator_V0): Ref).val$_Int, write) && acc((ShStructget3of4(initiator_V0): Ref).val$_Int, write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0)), Multiset[D$226445f2_3e61b158_]()), write) + requires !(sid_V0 == 1) && !(sid_V0 == 2) && !(sid_V0 == 4) + ensures ok_V0 ==> acc(InitiatorMem_1605c048_F(initiator_V0), write) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, getRid_1605c048_PMInitiator(initiator_V0), s1_V0), write) + ensures ok_V0 ==> 0 < ((PsK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), pskT_V0) in s1_V0)) + ensures ok_V0 ==> 0 < ((LtK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltkT_V0) in s1_V0)) + ensures ok_V0 ==> 0 < ((LtpK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltpkT_V0) in s1_V0)) + ensures ok_V0 ==> 0 < ((Setup_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0))) in s1_V0)) + ensures ok_V0 ==> getPsk_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(pskT_V0) + ensures ok_V0 ==> getKI_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltkT_V0) + ensures ok_V0 ==> getPkR_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltpkT_V0) +{ + inhale ok_V0 == false + inhale pskT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale ltkT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale ltpkT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, sid_V0_CN1: uint32°, a_V0_CN2: uint32°, b_V0_CN3: uint32°, t_V0_CN4: Place_c3672ae3_T°, ok_V0_CN5: bool°, pskT_V0_CN6: Term_1186dc0d_T°, ltkT_V0_CN7: Term_1186dc0d_T°, ltpkT_V0_CN8: Term_1186dc0d_T°, t1_V0_CN9: Place_c3672ae3_T°, s1_V0_CN10: mset[Fact_3e61b158_T]° + var s1_V0_CN10: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN9: D$fe170ee1_c3672ae3_ + var ltpkT_V0_CN8: D$9084e2f5_1186dc0d_ + var ltkT_V0_CN7: D$9084e2f5_1186dc0d_ + var pskT_V0_CN6: D$9084e2f5_1186dc0d_ + var ok_V0_CN5: Bool + var t_V0_CN4: D$fe170ee1_c3672ae3_ + var b_V0_CN3: Int + var a_V0_CN2: Int + var sid_V0_CN1: Int + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init sid_V0_CN1 + inhale sid_V0_CN1 == 0 + + // init a_V0_CN2 + inhale a_V0_CN2 == 0 + + // init b_V0_CN3 + inhale b_V0_CN3 == 0 + + // init t_V0_CN4 + inhale t_V0_CN4 == dfltD$fe170ee1_c3672ae3_() + + // init ok_V0_CN5 + inhale ok_V0_CN5 == false + + // init pskT_V0_CN6 + inhale pskT_V0_CN6 == dfltD$9084e2f5_1186dc0d_() + + // init ltkT_V0_CN7 + inhale ltkT_V0_CN7 == dfltD$9084e2f5_1186dc0d_() + + // init ltpkT_V0_CN8 + inhale ltpkT_V0_CN8 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V0_CN9 + inhale t1_V0_CN9 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN10 + inhale s1_V0_CN10 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // sid_V0_CN1 = sid_V0 + sid_V0_CN1 := sid_V0 + + // a_V0_CN2 = a_V0 + a_V0_CN2 := a_V0 + + // b_V0_CN3 = b_V0 + b_V0_CN3 := b_V0 + + // t_V0_CN4 = t_V0 + t_V0_CN4 := t_V0 + + // decl rid_V1: Term_1186dc0d_T°, pp_V1: Term_1186dc0d_T°, psk_V1: ByteString_c7a67a88_T°, N53: bool°, N54: ByteString_c7a67a88_T°, N55: Term_1186dc0d_T°, N56: Place_c3672ae3_T°, N57: mset[Fact_3e61b158_T]°, ltk_V1: ByteString_c7a67a88_T°, N58: bool°, N59: ByteString_c7a67a88_T°, N60: Term_1186dc0d_T°, N61: Place_c3672ae3_T°, N62: mset[Fact_3e61b158_T]°, ltpk_V1: ByteString_c7a67a88_T°, N63: bool°, N64: ByteString_c7a67a88_T°, N65: Term_1186dc0d_T°, N66: Place_c3672ae3_T°, N67: mset[Fact_3e61b158_T]°, N68: ByteString_c7a67a88_T°, N69: bool°, N70: Place_c3672ae3_T°, N71: mset[Fact_3e61b158_T]° + var N71: Multiset[D$226445f2_3e61b158_] + var N70: D$fe170ee1_c3672ae3_ + var N69: Bool + var N68: Slice[Ref] + var N67: Multiset[D$226445f2_3e61b158_] + var N66: D$fe170ee1_c3672ae3_ + var N65: D$9084e2f5_1186dc0d_ + var N64: Slice[Ref] + var N63: Bool + var ltpk_V1: Slice[Ref] + var N62: Multiset[D$226445f2_3e61b158_] + var N61: D$fe170ee1_c3672ae3_ + var N60: D$9084e2f5_1186dc0d_ + var N59: Slice[Ref] + var N58: Bool + var ltk_V1: Slice[Ref] + var N57: Multiset[D$226445f2_3e61b158_] + var N56: D$fe170ee1_c3672ae3_ + var N55: D$9084e2f5_1186dc0d_ + var N54: Slice[Ref] + var N53: Bool + var psk_V1: Slice[Ref] + var pp_V1: D$9084e2f5_1186dc0d_ + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0_CN1)) + rid_V1 := freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0_CN1)) + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = tuple4_d2674021_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), prologueTerm_d2674021_F(), infoTerm_d2674021_F()) + pp_V1 := tuple4_d2674021_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), prologueTerm_d2674021_F(), infoTerm_d2674021_F()) + + // t1_V0_CN9 = t_V0_CN4 + t1_V0_CN9 := t_V0_CN4 + + // s1_V0_CN10 = mset[Fact_3e61b158_T] { } + s1_V0_CN10 := Multiset[D$226445f2_3e61b158_]() + + // init psk_V1 + inhale psk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // psk_V1 = dflt[ByteString_c7a67a88_T] + psk_V1 := sliceDefault_Intbyte$$$_S_$$$() + + // N53, N54, N55, N56, N57 = initiator_V0_CN0getPsk(a_V0_CN2, b_V0_CN3, t_V0_CN4, rid_V1, s1_V0_CN10) + N53, N54, N55, N56, N57 := getPsk_1605c048_PMInitiator(initiator_V0_CN0, a_V0_CN2, b_V0_CN3, t_V0_CN4, rid_V1, s1_V0_CN10) + + // ok_V0_CN5 = N53 + ok_V0_CN5 := N53 + + // psk_V1 = N54 + psk_V1 := N54 + + // pskT_V0_CN6 = N55 + pskT_V0_CN6 := N55 + + // t1_V0_CN9 = N56 + t1_V0_CN9 := N56 + + // s1_V0_CN10 = N57 + s1_V0_CN10 := N57 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // init ltk_V1 + inhale ltk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ltk_V1 = dflt[ByteString_c7a67a88_T] + ltk_V1 := sliceDefault_Intbyte$$$_S_$$$() + + // N58, N59, N60, N61, N62 = initiator_V0_CN0getLtk(a_V0_CN2, b_V0_CN3, t1_V0_CN9, rid_V1, s1_V0_CN10) + N58, N59, N60, N61, N62 := getLtk_1605c048_PMInitiator(initiator_V0_CN0, a_V0_CN2, b_V0_CN3, t1_V0_CN9, rid_V1, s1_V0_CN10) + + // ok_V0_CN5 = N58 + ok_V0_CN5 := N58 + + // ltk_V1 = N59 + ltk_V1 := N59 + + // ltkT_V0_CN7 = N60 + ltkT_V0_CN7 := N60 + + // t1_V0_CN9 = N61 + t1_V0_CN9 := N61 + + // s1_V0_CN10 = N62 + s1_V0_CN10 := N62 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // init ltpk_V1 + inhale ltpk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ltpk_V1 = dflt[ByteString_c7a67a88_T] + ltpk_V1 := sliceDefault_Intbyte$$$_S_$$$() + + // N63, N64, N65, N66, N67 = initiator_V0_CN0getLtpk(a_V0_CN2, b_V0_CN3, t1_V0_CN9, rid_V1, s1_V0_CN10) + N63, N64, N65, N66, N67 := getLtpk_1605c048_PMInitiator(initiator_V0_CN0, a_V0_CN2, b_V0_CN3, t1_V0_CN9, rid_V1, s1_V0_CN10) + + // ok_V0_CN5 = N63 + ok_V0_CN5 := N63 + + // ltpk_V1 = N64 + ltpk_V1 := N64 + + // ltpkT_V0_CN8 = N65 + ltpkT_V0_CN8 := N65 + + // t1_V0_CN9 = N66 + t1_V0_CN9 := N66 + + // s1_V0_CN10 = N67 + s1_V0_CN10 := N67 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // *initiator_V0_CN0.HandshakeInfoA.PresharedKeyA = psk_V1 + (ShStructget0of5((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := psk_V1 + + // *initiator_V0_CN0.HandshakeInfoA.PrivateKeyA = ltk_V1 + (ShStructget1of5((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := ltk_V1 + + // *initiator_V0_CN0.HandshakeInfoA.LocalIndexA = sid_V0_CN1 + (ShStructget2of5((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int := sid_V0_CN1 + + // N68 = PublicKey_c7a67a88_F(ltk_V1) + N68 := PublicKey_c7a67a88_F(ltk_V1) + + // *initiator_V0_CN0.HandshakeInfoA.LocalStaticA = N68 + (ShStructget3of5((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := N68 + + // *initiator_V0_CN0.HandshakeInfoA.RemoteStaticA = ltpk_V1 + (ShStructget4of5((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := ltpk_V1 + + // *initiator_V0_CN0.aA = a_V0_CN2 + (ShStructget2of4(initiator_V0_CN0): Ref).val$_Int := a_V0_CN2 + + // *initiator_V0_CN0.bA = b_V0_CN3 + (ShStructget3of4(initiator_V0_CN0): Ref).val$_Int := b_V0_CN3 + + // fold acc(HandshakeArgsMem_c7a67a88_F(&*initiator_V0_CN0.HandshakeInfoA)) + fold acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), write) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0)) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), write) + + // N69, N70, N71 = initiator_V0_CN0getInit0(t1_V0_CN9, rid_V1, s1_V0_CN10) + N69, N70, N71 := getInit0_1605c048_PMInitiator(initiator_V0_CN0, t1_V0_CN9, rid_V1, s1_V0_CN10) + + // ok_V0_CN5 = N69 + ok_V0_CN5 := N69 + + // t1_V0_CN9 = N70 + t1_V0_CN9 := N70 + + // s1_V0_CN10 = N71 + s1_V0_CN10 := N71 + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN5 + ok_V0 := ok_V0_CN5 + + // pskT_V0 = pskT_V0_CN6 + pskT_V0 := pskT_V0_CN6 + + // ltkT_V0 = ltkT_V0_CN7 + ltkT_V0 := ltkT_V0_CN7 + + // ltpkT_V0 = ltpkT_V0_CN8 + ltpkT_V0 := ltpkT_V0_CN8 + + // t1_V0 = t1_V0_CN9 + t1_V0 := t1_V0_CN9 + + // s1_V0 = s1_V0_CN10 + s1_V0 := s1_V0_CN10 +} + +method getPsk_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, psk_V0: Slice[Ref], term_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), 1 / 2) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, rid_V0, s_V0), write) + ensures acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), 1 / 2) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, rid_V0, s1_V0), write) + ensures ok_V0 ==> (s_V0 subset s1_V0) && 0 < ((PsK_Init_3e61b158_F(rid_V0, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0)), term_V0) in s1_V0)) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(psk_V0), write) && Size_c7a67a88_F(psk_V0) == 32 && Abs_c7a67a88_F(psk_V0) == gamma_b3aa12e7_F(term_V0) +{ + inhale ok_V0 == false + inhale psk_V0 == sliceDefault_Intbyte$$$_S_$$$() + inhale term_V0 == dfltD$9084e2f5_1186dc0d_() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, a_V0_CN1: uint32°, b_V0_CN2: uint32°, t_V0_CN3: Place_c3672ae3_T°, rid_V0_CN4: Term_1186dc0d_T°, s_V0_CN5: mset[Fact_3e61b158_T]°, ok_V0_CN6: bool°, psk_V0_CN7: ByteString_c7a67a88_T°, term_V0_CN8: Term_1186dc0d_T°, t1_V0_CN9: Place_c3672ae3_T°, s1_V0_CN10: mset[Fact_3e61b158_T]° + var s1_V0_CN10: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN9: D$fe170ee1_c3672ae3_ + var term_V0_CN8: D$9084e2f5_1186dc0d_ + var psk_V0_CN7: Slice[Ref] + var ok_V0_CN6: Bool + var s_V0_CN5: Multiset[D$226445f2_3e61b158_] + var rid_V0_CN4: D$9084e2f5_1186dc0d_ + var t_V0_CN3: D$fe170ee1_c3672ae3_ + var b_V0_CN2: Int + var a_V0_CN1: Int + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init a_V0_CN1 + inhale a_V0_CN1 == 0 + + // init b_V0_CN2 + inhale b_V0_CN2 == 0 + + // init t_V0_CN3 + inhale t_V0_CN3 == dfltD$fe170ee1_c3672ae3_() + + // init rid_V0_CN4 + inhale rid_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init s_V0_CN5 + inhale s_V0_CN5 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN6 + inhale ok_V0_CN6 == false + + // init psk_V0_CN7 + inhale psk_V0_CN7 == sliceDefault_Intbyte$$$_S_$$$() + + // init term_V0_CN8 + inhale term_V0_CN8 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V0_CN9 + inhale t1_V0_CN9 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN10 + inhale s1_V0_CN10 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // a_V0_CN1 = a_V0 + a_V0_CN1 := a_V0 + + // b_V0_CN2 = b_V0 + b_V0_CN2 := b_V0 + + // t_V0_CN3 = t_V0 + t_V0_CN3 := t_V0 + + // rid_V0_CN4 = rid_V0 + rid_V0_CN4 := rid_V0 + + // s_V0_CN5 = s_V0 + s_V0_CN5 := s_V0 + + // decl b1_V1: uint32°, b2_V1: uint32°, N20: bool°, N21: uint32°, N22: uint32°, N23: ByteString_c7a67a88_T°, N24: Place_c3672ae3_T° + var N24: D$fe170ee1_c3672ae3_ + var N23: Slice[Ref] + var N22: Int + var N21: Int + var N20: Bool + var b2_V1: Int + var b1_V1: Int + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5), write) + + // unfold acc(phiRF_Init_8_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5)) + unfold acc(phiRF_Init_8_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5), write) + + // assert acc(e_PsK_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4)) + assert acc(e_PsK_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4), write) + + // term_V0_CN8 = get_e_PsK_r3_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4) + term_V0_CN8 := get_e_PsK_r3_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4) + + // init b1_V1 + inhale b1_V1 == 0 + + // init b2_V1 + inhale b2_V1 == 0 + + // b1_V1 = dflt[uint32] + b1_V1 := 0 + + // b2_V1 = dflt[uint32] + b2_V1 := 0 + + // N20, N21, N22, N23, N24 = &*initiator_V0_CN0.LibStateAGetPsKBio(a_V0_CN1, b_V0_CN2, t_V0_CN3, rid_V0_CN4) + N20, N21, N22, N23, N24 := GetPsKBio_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), a_V0_CN1, b_V0_CN2, t_V0_CN3, rid_V0_CN4) + + // ok_V0_CN6 = N20 + ok_V0_CN6 := N20 + + // b1_V1 = N21 + b1_V1 := N21 + + // b2_V1 = N22 + b2_V1 := N22 + + // psk_V0_CN7 = N23 + psk_V0_CN7 := N23 + + // t1_V0_CN9 = N24 + t1_V0_CN9 := N24 + + // if(a_V0_CN1 != b1_V1 || b_V0_CN2 != b2_V1 || len(psk_V0_CN7) != 32) {...} else {...} + if (!(a_V0_CN1 == b1_V1) || !(b_V0_CN2 == b2_V1) || !((slen(psk_V0_CN7): Int) == 32)) { + + // decl + + // ok_V0_CN6 = false + ok_V0_CN6 := false + } + + // if(!ok_V0_CN6) {...} else {...} + if (!ok_V0_CN6) { + + // decl + + // return + goto returnLabel + } + + // s1_V0_CN10 = s_V0_CN5 union mset[Fact_3e61b158_T] { PsK_Init_3e61b158_F(rid_V0_CN4, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN1)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN2)), term_V0_CN8) } + s1_V0_CN10 := (s_V0_CN5 union Multiset(PsK_Init_3e61b158_F(rid_V0_CN4, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN1)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN2)), term_V0_CN8))) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN6 + ok_V0 := ok_V0_CN6 + + // psk_V0 = psk_V0_CN7 + psk_V0 := psk_V0_CN7 + + // term_V0 = term_V0_CN8 + term_V0 := term_V0_CN8 + + // t1_V0 = t1_V0_CN9 + t1_V0 := t1_V0_CN9 + + // s1_V0 = s1_V0_CN10 + s1_V0 := s1_V0_CN10 +} + +method getLtk_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, ltk_V0: Slice[Ref], term_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), 1 / 2) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, rid_V0, s_V0), write) + ensures acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), 1 / 2) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, rid_V0, s1_V0), write) + ensures ok_V0 ==> (s_V0 subset s1_V0) && 0 < ((LtK_Init_3e61b158_F(rid_V0, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0)), term_V0) in s1_V0)) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(ltk_V0), write) && Size_c7a67a88_F(ltk_V0) == 32 && Abs_c7a67a88_F(ltk_V0) == gamma_b3aa12e7_F(term_V0) +{ + inhale ok_V0 == false + inhale ltk_V0 == sliceDefault_Intbyte$$$_S_$$$() + inhale term_V0 == dfltD$9084e2f5_1186dc0d_() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, a_V0_CN1: uint32°, b_V0_CN2: uint32°, t_V0_CN3: Place_c3672ae3_T°, rid_V0_CN4: Term_1186dc0d_T°, s_V0_CN5: mset[Fact_3e61b158_T]°, ok_V0_CN6: bool°, ltk_V0_CN7: ByteString_c7a67a88_T°, term_V0_CN8: Term_1186dc0d_T°, t1_V0_CN9: Place_c3672ae3_T°, s1_V0_CN10: mset[Fact_3e61b158_T]° + var s1_V0_CN10: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN9: D$fe170ee1_c3672ae3_ + var term_V0_CN8: D$9084e2f5_1186dc0d_ + var ltk_V0_CN7: Slice[Ref] + var ok_V0_CN6: Bool + var s_V0_CN5: Multiset[D$226445f2_3e61b158_] + var rid_V0_CN4: D$9084e2f5_1186dc0d_ + var t_V0_CN3: D$fe170ee1_c3672ae3_ + var b_V0_CN2: Int + var a_V0_CN1: Int + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init a_V0_CN1 + inhale a_V0_CN1 == 0 + + // init b_V0_CN2 + inhale b_V0_CN2 == 0 + + // init t_V0_CN3 + inhale t_V0_CN3 == dfltD$fe170ee1_c3672ae3_() + + // init rid_V0_CN4 + inhale rid_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init s_V0_CN5 + inhale s_V0_CN5 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN6 + inhale ok_V0_CN6 == false + + // init ltk_V0_CN7 + inhale ltk_V0_CN7 == sliceDefault_Intbyte$$$_S_$$$() + + // init term_V0_CN8 + inhale term_V0_CN8 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V0_CN9 + inhale t1_V0_CN9 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN10 + inhale s1_V0_CN10 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // a_V0_CN1 = a_V0 + a_V0_CN1 := a_V0 + + // b_V0_CN2 = b_V0 + b_V0_CN2 := b_V0 + + // t_V0_CN3 = t_V0 + t_V0_CN3 := t_V0 + + // rid_V0_CN4 = rid_V0 + rid_V0_CN4 := rid_V0 + + // s_V0_CN5 = s_V0 + s_V0_CN5 := s_V0 + + // decl b1_V1: uint32°, N18: bool°, N19: uint32°, N20: ByteString_c7a67a88_T°, N21: Place_c3672ae3_T° + var N21: D$fe170ee1_c3672ae3_ + var N20: Slice[Ref] + var N19: Int + var N18: Bool + var b1_V1: Int + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5), write) + + // unfold acc(phiRF_Init_6_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5)) + unfold acc(phiRF_Init_6_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5), write) + + // assert acc(e_LtK_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4)) + assert acc(e_LtK_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4), write) + + // term_V0_CN8 = get_e_LtK_r2_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4) + term_V0_CN8 := get_e_LtK_r2_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4) + + // init b1_V1 + inhale b1_V1 == 0 + + // b1_V1 = dflt[uint32] + b1_V1 := 0 + + // N18, N19, N20, N21 = &*initiator_V0_CN0.LibStateAGetLtKBio(a_V0_CN1, t_V0_CN3, rid_V0_CN4) + N18, N19, N20, N21 := GetLtKBio_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), a_V0_CN1, t_V0_CN3, rid_V0_CN4) + + // ok_V0_CN6 = N18 + ok_V0_CN6 := N18 + + // b1_V1 = N19 + b1_V1 := N19 + + // ltk_V0_CN7 = N20 + ltk_V0_CN7 := N20 + + // t1_V0_CN9 = N21 + t1_V0_CN9 := N21 + + // if(a_V0_CN1 != b1_V1 || len(ltk_V0_CN7) != 32) {...} else {...} + if (!(a_V0_CN1 == b1_V1) || !((slen(ltk_V0_CN7): Int) == 32)) { + + // decl + + // ok_V0_CN6 = false + ok_V0_CN6 := false + } + + // if(!ok_V0_CN6) {...} else {...} + if (!ok_V0_CN6) { + + // decl + + // return + goto returnLabel + } + + // s1_V0_CN10 = s_V0_CN5 union mset[Fact_3e61b158_T] { LtK_Init_3e61b158_F(rid_V0_CN4, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN1)), term_V0_CN8) } + s1_V0_CN10 := (s_V0_CN5 union Multiset(LtK_Init_3e61b158_F(rid_V0_CN4, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN1)), term_V0_CN8))) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN6 + ok_V0 := ok_V0_CN6 + + // ltk_V0 = ltk_V0_CN7 + ltk_V0 := ltk_V0_CN7 + + // term_V0 = term_V0_CN8 + term_V0 := term_V0_CN8 + + // t1_V0 = t1_V0_CN9 + t1_V0 := t1_V0_CN9 + + // s1_V0 = s1_V0_CN10 + s1_V0 := s1_V0_CN10 +} + +method getLtpk_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, ltpk_V0: Slice[Ref], term_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), 1 / 2) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, rid_V0, s_V0), write) + ensures acc(LibMem_c7a67a88_F((ShStructget0of4(initiator_V0): ShStruct4[Ref, Ref, Ref, Ref])), 1 / 2) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, rid_V0, s1_V0), write) + ensures ok_V0 ==> (s_V0 subset s1_V0) && 0 < ((LtpK_Init_3e61b158_F(rid_V0, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0)), term_V0) in s1_V0)) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(ltpk_V0), write) && Size_c7a67a88_F(ltpk_V0) == 32 && Abs_c7a67a88_F(ltpk_V0) == gamma_b3aa12e7_F(term_V0) +{ + inhale ok_V0 == false + inhale ltpk_V0 == sliceDefault_Intbyte$$$_S_$$$() + inhale term_V0 == dfltD$9084e2f5_1186dc0d_() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, a_V0_CN1: uint32°, b_V0_CN2: uint32°, t_V0_CN3: Place_c3672ae3_T°, rid_V0_CN4: Term_1186dc0d_T°, s_V0_CN5: mset[Fact_3e61b158_T]°, ok_V0_CN6: bool°, ltpk_V0_CN7: ByteString_c7a67a88_T°, term_V0_CN8: Term_1186dc0d_T°, t1_V0_CN9: Place_c3672ae3_T°, s1_V0_CN10: mset[Fact_3e61b158_T]° + var s1_V0_CN10: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN9: D$fe170ee1_c3672ae3_ + var term_V0_CN8: D$9084e2f5_1186dc0d_ + var ltpk_V0_CN7: Slice[Ref] + var ok_V0_CN6: Bool + var s_V0_CN5: Multiset[D$226445f2_3e61b158_] + var rid_V0_CN4: D$9084e2f5_1186dc0d_ + var t_V0_CN3: D$fe170ee1_c3672ae3_ + var b_V0_CN2: Int + var a_V0_CN1: Int + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init a_V0_CN1 + inhale a_V0_CN1 == 0 + + // init b_V0_CN2 + inhale b_V0_CN2 == 0 + + // init t_V0_CN3 + inhale t_V0_CN3 == dfltD$fe170ee1_c3672ae3_() + + // init rid_V0_CN4 + inhale rid_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init s_V0_CN5 + inhale s_V0_CN5 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN6 + inhale ok_V0_CN6 == false + + // init ltpk_V0_CN7 + inhale ltpk_V0_CN7 == sliceDefault_Intbyte$$$_S_$$$() + + // init term_V0_CN8 + inhale term_V0_CN8 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V0_CN9 + inhale t1_V0_CN9 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN10 + inhale s1_V0_CN10 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // a_V0_CN1 = a_V0 + a_V0_CN1 := a_V0 + + // b_V0_CN2 = b_V0 + b_V0_CN2 := b_V0 + + // t_V0_CN3 = t_V0 + t_V0_CN3 := t_V0 + + // rid_V0_CN4 = rid_V0 + rid_V0_CN4 := rid_V0 + + // s_V0_CN5 = s_V0 + s_V0_CN5 := s_V0 + + // decl b1_V1: uint32°, N18: bool°, N19: uint32°, N20: ByteString_c7a67a88_T°, N21: Place_c3672ae3_T° + var N21: D$fe170ee1_c3672ae3_ + var N20: Slice[Ref] + var N19: Int + var N18: Bool + var b1_V1: Int + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5), write) + + // unfold acc(phiRF_Init_7_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5)) + unfold acc(phiRF_Init_7_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4, s_V0_CN5), write) + + // assert acc(e_LtpK_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4)) + assert acc(e_LtpK_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4), write) + + // term_V0_CN8 = get_e_LtpK_r2_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4) + term_V0_CN8 := get_e_LtpK_r2_c0f0ff6b_F(t_V0_CN3, rid_V0_CN4) + + // init b1_V1 + inhale b1_V1 == 0 + + // b1_V1 = dflt[uint32] + b1_V1 := 0 + + // N18, N19, N20, N21 = &*initiator_V0_CN0.LibStateAGetLtpKBio(b_V0_CN2, t_V0_CN3, rid_V0_CN4) + N18, N19, N20, N21 := GetLtpKBio_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), b_V0_CN2, t_V0_CN3, rid_V0_CN4) + + // ok_V0_CN6 = N18 + ok_V0_CN6 := N18 + + // b1_V1 = N19 + b1_V1 := N19 + + // ltpk_V0_CN7 = N20 + ltpk_V0_CN7 := N20 + + // t1_V0_CN9 = N21 + t1_V0_CN9 := N21 + + // if(b_V0_CN2 != b1_V1 || len(ltpk_V0_CN7) != 32) {...} else {...} + if (!(b_V0_CN2 == b1_V1) || !((slen(ltpk_V0_CN7): Int) == 32)) { + + // decl + + // ok_V0_CN6 = false + ok_V0_CN6 := false + } + + // if(!ok_V0_CN6) {...} else {...} + if (!ok_V0_CN6) { + + // decl + + // return + goto returnLabel + } + + // s1_V0_CN10 = s_V0_CN5 union mset[Fact_3e61b158_T] { LtpK_Init_3e61b158_F(rid_V0_CN4, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN2)), term_V0_CN8) } + s1_V0_CN10 := (s_V0_CN5 union Multiset(LtpK_Init_3e61b158_F(rid_V0_CN4, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN2)), term_V0_CN8))) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN6 + ok_V0 := ok_V0_CN6 + + // ltpk_V0 = ltpk_V0_CN7 + ltpk_V0 := ltpk_V0_CN7 + + // term_V0 = term_V0_CN8 + term_V0 := term_V0_CN8 + + // t1_V0 = t1_V0_CN9 + t1_V0 := t1_V0_CN9 + + // s1_V0 = s1_V0_CN10 + s1_V0 := s1_V0_CN10 +} + +method getInit0_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 2) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, rid_V0, s_V0), write) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 2) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, rid_V0, s1_V0), write) + ensures ok_V0 ==> (s_V0 subset s1_V0) && 0 < ((Setup_Init_3e61b158_F(rid_V0, getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0))) in s1_V0)) +{ + inhale ok_V0 == false + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, t_V0_CN1: Place_c3672ae3_T°, rid_V0_CN2: Term_1186dc0d_T°, s_V0_CN3: mset[Fact_3e61b158_T]°, ok_V0_CN4: bool°, t1_V0_CN5: Place_c3672ae3_T°, s1_V0_CN6: mset[Fact_3e61b158_T]° + var s1_V0_CN6: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN5: D$fe170ee1_c3672ae3_ + var ok_V0_CN4: Bool + var s_V0_CN3: Multiset[D$226445f2_3e61b158_] + var rid_V0_CN2: D$9084e2f5_1186dc0d_ + var t_V0_CN1: D$fe170ee1_c3672ae3_ + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init t_V0_CN1 + inhale t_V0_CN1 == dfltD$fe170ee1_c3672ae3_() + + // init rid_V0_CN2 + inhale rid_V0_CN2 == dfltD$9084e2f5_1186dc0d_() + + // init s_V0_CN3 + inhale s_V0_CN3 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN4 + inhale ok_V0_CN4 == false + + // init t1_V0_CN5 + inhale t1_V0_CN5 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN6 + inhale s1_V0_CN6 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // t_V0_CN1 = t_V0 + t_V0_CN1 := t_V0 + + // rid_V0_CN2 = rid_V0 + rid_V0_CN2 := rid_V0 + + // s_V0_CN3 = s_V0 + s_V0_CN3 := s_V0 + + // decl m1_V1: Term_1186dc0d_T°, m2_V1: Term_1186dc0d_T°, m3_V1: Term_1186dc0d_T°, m4_V1: Term_1186dc0d_T°, a_V1: uint32°, b_V1: uint32°, N20: bool°, N21: uint32°, N22: uint32°, N23: Place_c3672ae3_T°, b1_V1: uint32°, b2_V1: uint32°, pp_V1: Term_1186dc0d_T° + var pp_V1: D$9084e2f5_1186dc0d_ + var b2_V1: Int + var b1_V1: Int + var N23: D$fe170ee1_c3672ae3_ + var N22: Int + var N21: Int + var N20: Bool + var b_V1: Int + var a_V1: Int + var m4_V1: D$9084e2f5_1186dc0d_ + var m3_V1: D$9084e2f5_1186dc0d_ + var m2_V1: D$9084e2f5_1186dc0d_ + var m1_V1: D$9084e2f5_1186dc0d_ + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2, s_V0_CN3)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2, s_V0_CN3), write) + + // unfold acc(phiRF_Init_15_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2, s_V0_CN3)) + unfold acc(phiRF_Init_15_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2, s_V0_CN3), write) + + // assert acc(e_Setup_Init_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2)) + assert acc(e_Setup_Init_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2), write) + + // init m1_V1 + inhale m1_V1 == dfltD$9084e2f5_1186dc0d_() + + // init m2_V1 + inhale m2_V1 == dfltD$9084e2f5_1186dc0d_() + + // init m3_V1 + inhale m3_V1 == dfltD$9084e2f5_1186dc0d_() + + // init m4_V1 + inhale m4_V1 == dfltD$9084e2f5_1186dc0d_() + + // m1_V1 = get_e_Setup_Init_r1_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2) + m1_V1 := get_e_Setup_Init_r1_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2) + + // m2_V1 = get_e_Setup_Init_r2_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2) + m2_V1 := get_e_Setup_Init_r2_c0f0ff6b_F(t_V0_CN1, rid_V0_CN2) + + // m3_V1 = prologueTerm_d2674021_F() + m3_V1 := prologueTerm_d2674021_F() + + // m4_V1 = infoTerm_d2674021_F() + m4_V1 := infoTerm_d2674021_F() + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // init a_V1 + inhale a_V1 == 0 + + // a_V1 = *initiator_V0_CN0.aA + a_V1 := (ShStructget2of4(initiator_V0_CN0): Ref).val$_Int + + // init b_V1 + inhale b_V1 == 0 + + // b_V1 = *initiator_V0_CN0.bA + b_V1 := (ShStructget3of4(initiator_V0_CN0): Ref).val$_Int + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // N20, N21, N22, N23 = GetInit0I_c7a67a88_F(a_V1, b_V1, t_V0_CN1, rid_V0_CN2) + N20, N21, N22, N23 := GetInit0I_c7a67a88_F(a_V1, b_V1, t_V0_CN1, rid_V0_CN2) + + // init b1_V1 + inhale b1_V1 == 0 + + // init b2_V1 + inhale b2_V1 == 0 + + // ok_V0_CN4 = N20 + ok_V0_CN4 := N20 + + // b1_V1 = N21 + b1_V1 := N21 + + // b2_V1 = N22 + b2_V1 := N22 + + // t1_V0_CN5 = N23 + t1_V0_CN5 := N23 + + // if(a_V1 != b1_V1 || b_V1 != b2_V1) {...} else {...} + if (!(a_V1 == b1_V1) || !(b_V1 == b2_V1)) { + + // decl + + // ok_V0_CN4 = false + ok_V0_CN4 := false + } + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = tuple4_d2674021_F(m1_V1, m2_V1, m3_V1, m4_V1) + pp_V1 := tuple4_d2674021_F(m1_V1, m2_V1, m3_V1, m4_V1) + + // s1_V0_CN6 = s_V0_CN3 union mset[Fact_3e61b158_T] { Setup_Init_3e61b158_F(rid_V0_CN2, getFirst_d2674021_F(pp_V1), getSecond_d2674021_F(pp_V1), getThird_d2674021_F(pp_V1), getForth_d2674021_F(pp_V1)) } + s1_V0_CN6 := (s_V0_CN3 union Multiset(Setup_Init_3e61b158_F(rid_V0_CN2, getFirst_d2674021_F(pp_V1), getSecond_d2674021_F(pp_V1), getThird_d2674021_F(pp_V1), getForth_d2674021_F(pp_V1)))) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN4 + ok_V0 := ok_V0_CN4 + + // t1_V0 = t1_V0_CN5 + t1_V0 := t1_V0_CN5 + + // s1_V0 = s1_V0_CN6 + s1_V0 := s1_V0_CN6 +} + +method runHandshake_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], pskT_V0: D$9084e2f5_1186dc0d_, ltkT_V0: D$9084e2f5_1186dc0d_, ltpkT_V0: D$9084e2f5_1186dc0d_, t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (conn_V0: ShStruct4[Ref, Ref, Ref, Ref], ok_V0: Bool, sidRT_V0: D$9084e2f5_1186dc0d_, kirT_V0: D$9084e2f5_1186dc0d_, kriT_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 2) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, getRid_1605c048_PMInitiator(initiator_V0), s_V0), write) + requires 0 < ((PsK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), pskT_V0) in s_V0)) + requires 0 < ((LtK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltkT_V0) in s_V0)) + requires 0 < ((LtpK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltpkT_V0) in s_V0)) + requires 0 < ((Setup_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0))) in s_V0)) + requires getPsk_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(pskT_V0) + requires getKI_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltkT_V0) + requires getPkR_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltpkT_V0) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 2) + ensures ok_V0 ==> acc(ConnectionMem_c7a67a88_F(conn_V0), write) && ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, getRid_1605c048_PMInitiator(initiator_V0), s1_V0), write) + ensures ok_V0 ==> 0 < ((St_Init_2_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s1_V0)) + ensures ok_V0 ==> ConnectionKIR_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kirT_V0) + ensures ok_V0 ==> ConnectionKRI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kriT_V0) + ensures ok_V0 ==> ConnectionSidI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(sidRT_V0) +{ + inhale conn_V0 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + inhale ok_V0 == false + inhale sidRT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale kirT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale kriT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, pskT_V0_CN1: Term_1186dc0d_T°, ltkT_V0_CN2: Term_1186dc0d_T°, ltpkT_V0_CN3: Term_1186dc0d_T°, t_V0_CN4: Place_c3672ae3_T°, s_V0_CN5: mset[Fact_3e61b158_T]°, conn_V0_CN6: *Connection_c7a67a88_T°, ok_V0_CN7: bool°, sidRT_V0_CN8: Term_1186dc0d_T°, kirT_V0_CN9: Term_1186dc0d_T°, kriT_V0_CN10: Term_1186dc0d_T°, t1_V0_CN11: Place_c3672ae3_T°, s1_V0_CN12: mset[Fact_3e61b158_T]° + var s1_V0_CN12: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN11: D$fe170ee1_c3672ae3_ + var kriT_V0_CN10: D$9084e2f5_1186dc0d_ + var kirT_V0_CN9: D$9084e2f5_1186dc0d_ + var sidRT_V0_CN8: D$9084e2f5_1186dc0d_ + var ok_V0_CN7: Bool + var conn_V0_CN6: ShStruct4[Ref, Ref, Ref, Ref] + var s_V0_CN5: Multiset[D$226445f2_3e61b158_] + var t_V0_CN4: D$fe170ee1_c3672ae3_ + var ltpkT_V0_CN3: D$9084e2f5_1186dc0d_ + var ltkT_V0_CN2: D$9084e2f5_1186dc0d_ + var pskT_V0_CN1: D$9084e2f5_1186dc0d_ + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init pskT_V0_CN1 + inhale pskT_V0_CN1 == dfltD$9084e2f5_1186dc0d_() + + // init ltkT_V0_CN2 + inhale ltkT_V0_CN2 == dfltD$9084e2f5_1186dc0d_() + + // init ltpkT_V0_CN3 + inhale ltpkT_V0_CN3 == dfltD$9084e2f5_1186dc0d_() + + // init t_V0_CN4 + inhale t_V0_CN4 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN5 + inhale s_V0_CN5 == Multiset[D$226445f2_3e61b158_]() + + // init conn_V0_CN6 + inhale conn_V0_CN6 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init ok_V0_CN7 + inhale ok_V0_CN7 == false + + // init sidRT_V0_CN8 + inhale sidRT_V0_CN8 == dfltD$9084e2f5_1186dc0d_() + + // init kirT_V0_CN9 + inhale kirT_V0_CN9 == dfltD$9084e2f5_1186dc0d_() + + // init kriT_V0_CN10 + inhale kriT_V0_CN10 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V0_CN11 + inhale t1_V0_CN11 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN12 + inhale s1_V0_CN12 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // pskT_V0_CN1 = pskT_V0 + pskT_V0_CN1 := pskT_V0 + + // ltkT_V0_CN2 = ltkT_V0 + ltkT_V0_CN2 := ltkT_V0 + + // ltpkT_V0_CN3 = ltpkT_V0 + ltpkT_V0_CN3 := ltpkT_V0 + + // t_V0_CN4 = t_V0 + t_V0_CN4 := t_V0 + + // s_V0_CN5 = s_V0 + s_V0_CN5 := s_V0 + + // decl N62: *Handshake_c7a67a88_T°, handshake_V1: *Handshake_c7a67a88_T°, ekiT_V1: Term_1186dc0d_T°, c3T_V1: Term_1186dc0d_T°, h4T_V1: Term_1186dc0d_T°, N63: bool°, N64: Term_1186dc0d_T°, N65: Term_1186dc0d_T°, N66: Term_1186dc0d_T°, N67: Place_c3672ae3_T°, N68: mset[Fact_3e61b158_T]°, c7T_V1: Term_1186dc0d_T°, BeforeRecvResp_L, N71: bool°, N72: Term_1186dc0d_T°, N73: Term_1186dc0d_T°, N74: Place_c3672ae3_T°, N75: mset[Fact_3e61b158_T]°, BeforeSymSess_L, N76: *Connection_c7a67a88_T° + var N76: ShStruct4[Ref, Ref, Ref, Ref] + var N75: Multiset[D$226445f2_3e61b158_] + var N74: D$fe170ee1_c3672ae3_ + var N73: D$9084e2f5_1186dc0d_ + var N72: D$9084e2f5_1186dc0d_ + var N71: Bool + var c7T_V1: D$9084e2f5_1186dc0d_ + var N68: Multiset[D$226445f2_3e61b158_] + var N67: D$fe170ee1_c3672ae3_ + var N66: D$9084e2f5_1186dc0d_ + var N65: D$9084e2f5_1186dc0d_ + var N64: D$9084e2f5_1186dc0d_ + var N63: Bool + var h4T_V1: D$9084e2f5_1186dc0d_ + var c3T_V1: D$9084e2f5_1186dc0d_ + var ekiT_V1: D$9084e2f5_1186dc0d_ + var handshake_V1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var N62: ShStruct5[Ref, Ref, Ref, Ref, Ref] + + // N62 = new(Handshake_c7a67a88_T{dflt[ByteString_c7a67a88_T], dflt[ByteString_c7a67a88_T], dflt[ByteString_c7a67a88_T], dflt[uint32], dflt[ByteString_c7a67a88_T]}) + var fn$$0: ShStruct5[Ref, Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of5(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(fn$$0): Ref).val$_Int, write) && acc((ShStructget4of5(fn$$0): Ref).val$_Slice_Ref, write) && (true && (ShStructget0of5(fn$$0): Ref).val$_Slice_Ref == (get0of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref]) && (ShStructget1of5(fn$$0): Ref).val$_Slice_Ref == (get1of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref]) && (ShStructget2of5(fn$$0): Ref).val$_Slice_Ref == (get2of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref]) && (ShStructget3of5(fn$$0): Ref).val$_Int == (get3of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Int) && (ShStructget4of5(fn$$0): Ref).val$_Slice_Ref == (get4of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref])) + N62 := fn$$0 + + // init handshake_V1 + inhale handshake_V1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // handshake_V1 = N62 + handshake_V1 := N62 + + // init ekiT_V1 + inhale ekiT_V1 == dfltD$9084e2f5_1186dc0d_() + + // init c3T_V1 + inhale c3T_V1 == dfltD$9084e2f5_1186dc0d_() + + // init h4T_V1 + inhale h4T_V1 == dfltD$9084e2f5_1186dc0d_() + + // ekiT_V1 = dflt[Term_1186dc0d_T] + ekiT_V1 := dfltD$9084e2f5_1186dc0d_() + + // c3T_V1 = dflt[Term_1186dc0d_T] + c3T_V1 := dfltD$9084e2f5_1186dc0d_() + + // h4T_V1 = dflt[Term_1186dc0d_T] + h4T_V1 := dfltD$9084e2f5_1186dc0d_() + + // N63, N64, N65, N66, N67, N68 = initiator_V0_CN0sendRequest(handshake_V1, pskT_V0_CN1, ltkT_V0_CN2, ltpkT_V0_CN3, t_V0_CN4, s_V0_CN5) + N63, N64, N65, N66, N67, N68 := sendRequest_1605c048_PMInitiator(initiator_V0_CN0, handshake_V1, pskT_V0_CN1, ltkT_V0_CN2, ltpkT_V0_CN3, t_V0_CN4, s_V0_CN5) + + // ok_V0_CN7 = N63 + ok_V0_CN7 := N63 + + // ekiT_V1 = N64 + ekiT_V1 := N64 + + // c3T_V1 = N65 + c3T_V1 := N65 + + // h4T_V1 = N66 + h4T_V1 := N66 + + // t1_V0_CN11 = N67 + t1_V0_CN11 := N67 + + // s1_V0_CN12 = N68 + s1_V0_CN12 := N68 + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // assert getEkI_1605c048_F(handshake_V1) == gamma_b3aa12e7_F(ekiT_V1) + assert getEkI_1605c048_F(handshake_V1) == gamma_b3aa12e7_F(ekiT_V1) + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // &*initiator_V0_CN0.LibStateAPrintln("Success Sending Request") + Println_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), stringLit537563636573732053656e64696e672052657175657374()) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // init c7T_V1 + inhale c7T_V1 == dfltD$9084e2f5_1186dc0d_() + + // c7T_V1 = dflt[Term_1186dc0d_T] + c7T_V1 := dfltD$9084e2f5_1186dc0d_() + + // BeforeRecvResp_L + label BeforeRecvResp_L + + // N71, N72, N73, N74, N75 = initiator_V0_CN0receiveResponse(handshake_V1, pskT_V0_CN1, ltkT_V0_CN2, ltpkT_V0_CN3, ekiT_V1, c3T_V1, h4T_V1, t1_V0_CN11, s1_V0_CN12) + N71, N72, N73, N74, N75 := receiveResponse_1605c048_PMInitiator(initiator_V0_CN0, handshake_V1, pskT_V0_CN1, ltkT_V0_CN2, ltpkT_V0_CN3, ekiT_V1, c3T_V1, h4T_V1, t1_V0_CN11, s1_V0_CN12) + + // ok_V0_CN7 = N71 + ok_V0_CN7 := N71 + + // sidRT_V0_CN8 = N72 + sidRT_V0_CN8 := N72 + + // c7T_V1 = N73 + c7T_V1 := N73 + + // t1_V0_CN11 = N74 + t1_V0_CN11 := N74 + + // s1_V0_CN12 = N75 + s1_V0_CN12 := N75 + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // &*initiator_V0_CN0.LibStateAPrintln("Success Consuming Response") + Println_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), stringLit5375636365737320436f6e73756d696e6720526573706f6e7365()) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // BeforeSymSess_L + label BeforeSymSess_L + + // N76 = initiator_V0_CN0beginSymmetricSession(handshake_V1, c7T_V1) + N76 := beginSymmetricSession_1605c048_PMInitiator(initiator_V0_CN0, handshake_V1, c7T_V1) + + // conn_V0_CN6 = N76 + conn_V0_CN6 := N76 + + // kirT_V0_CN9 = kdf1__d2674021_F(c7T_V1) + kirT_V0_CN9 := kdf1__d2674021_F(c7T_V1) + + // kriT_V0_CN10 = kdf2__d2674021_F(c7T_V1) + kriT_V0_CN10 := kdf2__d2674021_F(c7T_V1) + + // return + goto returnLabel + label returnLabel + + // conn_V0 = conn_V0_CN6 + conn_V0 := conn_V0_CN6 + + // ok_V0 = ok_V0_CN7 + ok_V0 := ok_V0_CN7 + + // sidRT_V0 = sidRT_V0_CN8 + sidRT_V0 := sidRT_V0_CN8 + + // kirT_V0 = kirT_V0_CN9 + kirT_V0 := kirT_V0_CN9 + + // kriT_V0 = kriT_V0_CN10 + kriT_V0 := kriT_V0_CN10 + + // t1_V0 = t1_V0_CN11 + t1_V0 := t1_V0_CN11 + + // s1_V0 = s1_V0_CN12 + s1_V0 := s1_V0_CN12 +} + +method sendRequest_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], pskT_V0: D$9084e2f5_1186dc0d_, ltkT_V0: D$9084e2f5_1186dc0d_, ltpkT_V0: D$9084e2f5_1186dc0d_, t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, ekiT_V0: D$9084e2f5_1186dc0d_, c3T_V0: D$9084e2f5_1186dc0d_, h4T_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 4) && (true && acc((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(hs_V0): Ref).val$_Int, write) && acc((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref, write)) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, getRid_1605c048_PMInitiator(initiator_V0), s_V0), write) + requires 0 < ((PsK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), pskT_V0) in s_V0)) + requires 0 < ((LtK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltkT_V0) in s_V0)) + requires 0 < ((LtpK_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltpkT_V0) in s_V0)) + requires 0 < ((Setup_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0))) in s_V0)) + requires getPsk_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(pskT_V0) + requires getKI_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltkT_V0) + requires getPkR_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltpkT_V0) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 4) + ensures ok_V0 ==> acc(HandshakeMem_1605c048_F(hs_V0), write) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, getRid_1605c048_PMInitiator(initiator_V0), s1_V0), write) + ensures ok_V0 ==> 0 < ((St_Init_1_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltkT_V0, ltpkT_V0, ekiT_V0, pskT_V0, c3T_V0, h4T_V0) in s1_V0)) + ensures ok_V0 ==> getEkI_1605c048_F(hs_V0) == gamma_b3aa12e7_F(ekiT_V0) + ensures ok_V0 ==> getNKey_1605c048_F(hs_V0) == gamma_b3aa12e7_F(c3T_V0) + ensures ok_V0 ==> getNHash_1605c048_F(hs_V0) == gamma_b3aa12e7_F(h4T_V0) +{ + inhale ok_V0 == false + inhale ekiT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale c3T_V0 == dfltD$9084e2f5_1186dc0d_() + inhale h4T_V0 == dfltD$9084e2f5_1186dc0d_() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, pskT_V0_CN2: Term_1186dc0d_T°, ltkT_V0_CN3: Term_1186dc0d_T°, ltpkT_V0_CN4: Term_1186dc0d_T°, t_V0_CN5: Place_c3672ae3_T°, s_V0_CN6: mset[Fact_3e61b158_T]°, ok_V0_CN7: bool°, ekiT_V0_CN8: Term_1186dc0d_T°, c3T_V0_CN9: Term_1186dc0d_T°, h4T_V0_CN10: Term_1186dc0d_T°, t1_V0_CN11: Place_c3672ae3_T°, s1_V0_CN12: mset[Fact_3e61b158_T]° + var s1_V0_CN12: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN11: D$fe170ee1_c3672ae3_ + var h4T_V0_CN10: D$9084e2f5_1186dc0d_ + var c3T_V0_CN9: D$9084e2f5_1186dc0d_ + var ekiT_V0_CN8: D$9084e2f5_1186dc0d_ + var ok_V0_CN7: Bool + var s_V0_CN6: Multiset[D$226445f2_3e61b158_] + var t_V0_CN5: D$fe170ee1_c3672ae3_ + var ltpkT_V0_CN4: D$9084e2f5_1186dc0d_ + var ltkT_V0_CN3: D$9084e2f5_1186dc0d_ + var pskT_V0_CN2: D$9084e2f5_1186dc0d_ + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init pskT_V0_CN2 + inhale pskT_V0_CN2 == dfltD$9084e2f5_1186dc0d_() + + // init ltkT_V0_CN3 + inhale ltkT_V0_CN3 == dfltD$9084e2f5_1186dc0d_() + + // init ltpkT_V0_CN4 + inhale ltpkT_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init t_V0_CN5 + inhale t_V0_CN5 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN6 + inhale s_V0_CN6 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN7 + inhale ok_V0_CN7 == false + + // init ekiT_V0_CN8 + inhale ekiT_V0_CN8 == dfltD$9084e2f5_1186dc0d_() + + // init c3T_V0_CN9 + inhale c3T_V0_CN9 == dfltD$9084e2f5_1186dc0d_() + + // init h4T_V0_CN10 + inhale h4T_V0_CN10 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V0_CN11 + inhale t1_V0_CN11 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN12 + inhale s1_V0_CN12 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // pskT_V0_CN2 = pskT_V0 + pskT_V0_CN2 := pskT_V0 + + // ltkT_V0_CN3 = ltkT_V0 + ltkT_V0_CN3 := ltkT_V0 + + // ltpkT_V0_CN4 = ltpkT_V0 + ltpkT_V0_CN4 := ltpkT_V0 + + // t_V0_CN5 = t_V0 + t_V0_CN5 := t_V0 + + // s_V0_CN6 = s_V0 + s_V0_CN6 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, newPk_V1: ByteString_c7a67a88_T°, N63: ByteString_c7a67a88_T°, N64: bool°, N65: Place_c3672ae3_T°, newTs_V1: ByteString_c7a67a88_T°, N67: ByteString_c7a67a88_T°, N68: ByteString_c7a67a88_T°, tsT_V1: Term_1186dc0d_T°, N70: ByteString_c7a67a88_T°, N71: Place_c3672ae3_T°, sidI_V1: Bytes_b3aa12e7_T°, kI_V1: Bytes_b3aa12e7_T°, pkR_V1: Bytes_b3aa12e7_T°, psk_V1: Bytes_b3aa12e7_T°, ekI_V1: Bytes_b3aa12e7_T°, ts_V1: Bytes_b3aa12e7_T°, N79: *Request_c7a67a88_T°, N80: bool°, request_V1: *Request_c7a67a88_T°, N81: ByteString_c7a67a88_T°, packet_V1: ByteString_c7a67a88_T°, pp_V1: Term_1186dc0d_T°, mac1T_V1: Term_1186dc0d_T°, N87: Bytes_b3aa12e7_T°, N88: Place_c3672ae3_T°, mac1_V1: Bytes_b3aa12e7_T°, mac2T_V1: Term_1186dc0d_T°, N94: Bytes_b3aa12e7_T°, N95: Place_c3672ae3_T°, mac2_V1: Bytes_b3aa12e7_T°, Q1sidI_V1: Term_1186dc0d_T°, Q1a_V1: Term_1186dc0d_T°, Q1b_V1: Term_1186dc0d_T°, Q1prologue_V1: Term_1186dc0d_T°, Q1info_V1: Term_1186dc0d_T°, Q1kI_V1: Term_1186dc0d_T°, Q1pkR_V1: Term_1186dc0d_T°, Q1psk_V1: Term_1186dc0d_T°, Q1ekI_V1: Term_1186dc0d_T°, Q1timestamp_V1: Term_1186dc0d_T°, Q1mac1I_V1: Term_1186dc0d_T°, Q1mac2I_V1: Term_1186dc0d_T°, l_V1: mset[Fact_3e61b158_T]°, aM_V1: mset[Claim_2716b91c_T]°, r_V1: mset[Fact_3e61b158_T]°, N109: Place_c3672ae3_T°, packetTerm_V1: Term_1186dc0d_T°, N113: bool°, N114: Place_c3672ae3_T° + var N114: D$fe170ee1_c3672ae3_ + var N113: Bool + var packetTerm_V1: D$9084e2f5_1186dc0d_ + var N109: D$fe170ee1_c3672ae3_ + var r_V1: Multiset[D$226445f2_3e61b158_] + var aM_V1: Multiset[D$46be403b_2716b91c_] + var l_V1: Multiset[D$226445f2_3e61b158_] + var Q1mac2I_V1: D$9084e2f5_1186dc0d_ + var Q1mac1I_V1: D$9084e2f5_1186dc0d_ + var Q1timestamp_V1: D$9084e2f5_1186dc0d_ + var Q1ekI_V1: D$9084e2f5_1186dc0d_ + var Q1psk_V1: D$9084e2f5_1186dc0d_ + var Q1pkR_V1: D$9084e2f5_1186dc0d_ + var Q1kI_V1: D$9084e2f5_1186dc0d_ + var Q1info_V1: D$9084e2f5_1186dc0d_ + var Q1prologue_V1: D$9084e2f5_1186dc0d_ + var Q1b_V1: D$9084e2f5_1186dc0d_ + var Q1a_V1: D$9084e2f5_1186dc0d_ + var Q1sidI_V1: D$9084e2f5_1186dc0d_ + var mac2_V1: D$8d64a7ad_b3aa12e7_ + var N95: D$fe170ee1_c3672ae3_ + var N94: D$8d64a7ad_b3aa12e7_ + var mac2T_V1: D$9084e2f5_1186dc0d_ + var mac1_V1: D$8d64a7ad_b3aa12e7_ + var N88: D$fe170ee1_c3672ae3_ + var N87: D$8d64a7ad_b3aa12e7_ + var mac1T_V1: D$9084e2f5_1186dc0d_ + var pp_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N81: Slice[Ref] + var request_V1: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var N80: Bool + var N79: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var ts_V1: D$8d64a7ad_b3aa12e7_ + var ekI_V1: D$8d64a7ad_b3aa12e7_ + var psk_V1: D$8d64a7ad_b3aa12e7_ + var pkR_V1: D$8d64a7ad_b3aa12e7_ + var kI_V1: D$8d64a7ad_b3aa12e7_ + var sidI_V1: D$8d64a7ad_b3aa12e7_ + var N71: D$fe170ee1_c3672ae3_ + var N70: Slice[Ref] + var tsT_V1: D$9084e2f5_1186dc0d_ + var N68: Slice[Ref] + var N67: Slice[Ref] + var newTs_V1: Slice[Ref] + var N65: D$fe170ee1_c3672ae3_ + var N64: Bool + var N63: Slice[Ref] + var newPk_V1: Slice[Ref] + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = initiator_V0_CN0.getRid() + rid_V1 := getRid_1605c048_PMInitiator(initiator_V0_CN0) + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // unfold acc(phiRF_Init_9_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + unfold acc(phiRF_Init_9_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // assert acc(e_FrFact_c0f0ff6b_F(t_V0_CN5, rid_V1)) + assert acc(e_FrFact_c0f0ff6b_F(t_V0_CN5, rid_V1), write) + + // init newPk_V1 + inhale newPk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // newPk_V1 = dflt[ByteString_c7a67a88_T] + newPk_V1 := sliceDefault_Intbyte$$$_S_$$$() + + // ekiT_V0_CN8 = get_e_FrFact_r1_c0f0ff6b_F(t_V0_CN5, rid_V1) + ekiT_V0_CN8 := get_e_FrFact_r1_c0f0ff6b_F(t_V0_CN5, rid_V1) + + // N63, N64, N65 = NewPrivateKey_c7a67a88_F(t_V0_CN5, rid_V1) + N63, N64, N65 := NewPrivateKey_c7a67a88_F(t_V0_CN5, rid_V1) + + // newPk_V1 = N63 + newPk_V1 := N63 + + // ok_V0_CN7 = N64 + ok_V0_CN7 := N64 + + // t1_V0_CN11 = N65 + t1_V0_CN11 := N65 + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // s1_V0_CN12 = s_V0_CN6 union mset[Fact_3e61b158_T] { FrFact_Init_3e61b158_F(rid_V1, ekiT_V0_CN8) } + s1_V0_CN12 := (s_V0_CN6 union Multiset(FrFact_Init_3e61b158_F(rid_V1, ekiT_V0_CN8))) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // unfold acc(phiRF_Init_10_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(phiRF_Init_10_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // assert acc(e_Timestamp_c0f0ff6b_F(t1_V0_CN11, rid_V1)) + assert acc(e_Timestamp_c0f0ff6b_F(t1_V0_CN11, rid_V1), write) + + // init newTs_V1 + inhale newTs_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // newTs_V1 = dflt[ByteString_c7a67a88_T] + newTs_V1 := sliceDefault_Intbyte$$$_S_$$$() + + // N68 = newTs_V1 + N68 := newTs_V1 + + // init tsT_V1 + inhale tsT_V1 == dfltD$9084e2f5_1186dc0d_() + + // tsT_V1 = get_e_Timestamp_r1_c0f0ff6b_F(t1_V0_CN11, rid_V1) + tsT_V1 := get_e_Timestamp_r1_c0f0ff6b_F(t1_V0_CN11, rid_V1) + + // N70, N71 = Timestamp_c7a67a88_F(t1_V0_CN11, rid_V1) + N70, N71 := Timestamp_c7a67a88_F(t1_V0_CN11, rid_V1) + + // newTs_V1 = N70 + newTs_V1 := N70 + + // t1_V0_CN11 = N71 + t1_V0_CN11 := N71 + + // s1_V0_CN12 = s1_V0_CN12 union mset[Fact_3e61b158_T] { Timestamp_Init_3e61b158_F(rid_V1, tsT_V1) } + s1_V0_CN12 := (s1_V0_CN12 union Multiset(Timestamp_Init_3e61b158_F(rid_V1, tsT_V1))) + + // init sidI_V1 + inhale sidI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // init kI_V1 + inhale kI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // init pkR_V1 + inhale pkR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // init psk_V1 + inhale psk_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // init ekI_V1 + inhale ekI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // init ts_V1 + inhale ts_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // sidI_V1 = getSidI_1605c048_F(initiator_V0_CN0) + sidI_V1 := getSidI_1605c048_F(initiator_V0_CN0) + + // kI_V1 = getKI_1605c048_F(initiator_V0_CN0) + kI_V1 := getKI_1605c048_F(initiator_V0_CN0) + + // pkR_V1 = getPkR_1605c048_F(initiator_V0_CN0) + pkR_V1 := getPkR_1605c048_F(initiator_V0_CN0) + + // psk_V1 = getPsk_1605c048_F(initiator_V0_CN0) + psk_V1 := getPsk_1605c048_F(initiator_V0_CN0) + + // ekI_V1 = Abs_c7a67a88_F(newPk_V1) + ekI_V1 := Abs_c7a67a88_F(newPk_V1) + + // ts_V1 = Abs_c7a67a88_F(newTs_V1) + ts_V1 := Abs_c7a67a88_F(newTs_V1) + + // N79, N80 = initiator_V0_CN0createRequest(hs_V0_CN1, newPk_V1, newTs_V1) + N79, N80 := createRequest_1605c048_PMInitiator(initiator_V0_CN0, hs_V0_CN1, newPk_V1, newTs_V1) + + // init request_V1 + inhale request_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // request_V1 = N79 + request_V1 := N79 + + // ok_V0_CN7 = N80 + ok_V0_CN7 := N80 + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // N81 = MarshalRequest_c7a67a88_F(request_V1) + N81 := MarshalRequest_c7a67a88_F(request_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // packet_V1 = N81 + packet_V1 := N81 + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = initiator_V0_CN0.getPP() + pp_V1 := getPP_1605c048_PMInitiator(initiator_V0_CN0) + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/4) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 4) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // unfold acc(phiRF_Init_11_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(phiRF_Init_11_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // init mac1T_V1 + inhale mac1T_V1 == dfltD$9084e2f5_1186dc0d_() + + // mac1T_V1 = get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN11, rid_V1) + mac1T_V1 := get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN11, rid_V1) + + // N87, N88 = &*initiator_V0_CN0.LibStateAAddMac1(packet_V1, Bytes_M1_35781e6d_F(sidI_V1, kI_V1, pkR_V1, ekI_V1, ts_V1, zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)), t1_V0_CN11, rid_V1) + N87, N88 := AddMac1_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, Bytes_M1_35781e6d_F(sidI_V1, kI_V1, pkR_V1, ekI_V1, ts_V1, zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)), t1_V0_CN11, rid_V1) + + // init mac1_V1 + inhale mac1_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // mac1_V1 = N87 + mac1_V1 := N87 + + // t1_V0_CN11 = N88 + t1_V0_CN11 := N88 + + // s1_V0_CN12 = s1_V0_CN12 union mset[Fact_3e61b158_T] { MAC_Init_3e61b158_F(rid_V1, mac1T_V1) } + s1_V0_CN12 := (s1_V0_CN12 union Multiset(MAC_Init_3e61b158_F(rid_V1, mac1T_V1))) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // unfold acc(phiRF_Init_11_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(phiRF_Init_11_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // init mac2T_V1 + inhale mac2T_V1 == dfltD$9084e2f5_1186dc0d_() + + // mac2T_V1 = get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN11, rid_V1) + mac2T_V1 := get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN11, rid_V1) + + // N94, N95 = &*initiator_V0_CN0.LibStateAAddMac2(packet_V1, Bytes_M1_35781e6d_F(sidI_V1, kI_V1, pkR_V1, ekI_V1, ts_V1, gamma_b3aa12e7_F(mac1T_V1), zeroStringB_b3aa12e7_F(16)), t1_V0_CN11, rid_V1) + N94, N95 := AddMac2_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, Bytes_M1_35781e6d_F(sidI_V1, kI_V1, pkR_V1, ekI_V1, ts_V1, gamma_b3aa12e7_F(mac1T_V1), zeroStringB_b3aa12e7_F(16)), t1_V0_CN11, rid_V1) + + // init mac2_V1 + inhale mac2_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // mac2_V1 = N94 + mac2_V1 := N94 + + // t1_V0_CN11 = N95 + t1_V0_CN11 := N95 + + // s1_V0_CN12 = s1_V0_CN12 union mset[Fact_3e61b158_T] { MAC_Init_3e61b158_F(rid_V1, mac2T_V1) } + s1_V0_CN12 := (s1_V0_CN12 union Multiset(MAC_Init_3e61b158_F(rid_V1, mac2T_V1))) + + // assert Abs_c7a67a88_F(packet_V1) == gamma_b3aa12e7_F(Term_M1_35781e6d_F(rid_V1, ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8, tsT_V1, mac1T_V1, mac2T_V1)) + assert Abs_c7a67a88_F(packet_V1) == gamma_b3aa12e7_F(Term_M1_35781e6d_F(rid_V1, ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8, tsT_V1, mac1T_V1, mac2T_V1)) + + // c3T_V0_CN9 = Term_c3_35781e6d_F(ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8) + c3T_V0_CN9 := Term_c3_35781e6d_F(ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8) + + // h4T_V0_CN10 = Term_h4_35781e6d_F(ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8, tsT_V1) + h4T_V0_CN10 := Term_h4_35781e6d_F(ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8, tsT_V1) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // unfold acc(phiR_Init_0_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(phiR_Init_0_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // init Q1sidI_V1 + inhale Q1sidI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1sidI_V1 = rid_V1 + Q1sidI_V1 := rid_V1 + + // init Q1a_V1 + inhale Q1a_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1a_V1 = getFirst_d2674021_F(pp_V1) + Q1a_V1 := getFirst_d2674021_F(pp_V1) + + // init Q1b_V1 + inhale Q1b_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1b_V1 = getSecond_d2674021_F(pp_V1) + Q1b_V1 := getSecond_d2674021_F(pp_V1) + + // init Q1prologue_V1 + inhale Q1prologue_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1prologue_V1 = getThird_d2674021_F(pp_V1) + Q1prologue_V1 := getThird_d2674021_F(pp_V1) + + // init Q1info_V1 + inhale Q1info_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1info_V1 = getForth_d2674021_F(pp_V1) + Q1info_V1 := getForth_d2674021_F(pp_V1) + + // init Q1kI_V1 + inhale Q1kI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1kI_V1 = ltkT_V0_CN3 + Q1kI_V1 := ltkT_V0_CN3 + + // init Q1pkR_V1 + inhale Q1pkR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1pkR_V1 = ltpkT_V0_CN4 + Q1pkR_V1 := ltpkT_V0_CN4 + + // init Q1psk_V1 + inhale Q1psk_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1psk_V1 = pskT_V0_CN2 + Q1psk_V1 := pskT_V0_CN2 + + // init Q1ekI_V1 + inhale Q1ekI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1ekI_V1 = ekiT_V0_CN8 + Q1ekI_V1 := ekiT_V0_CN8 + + // init Q1timestamp_V1 + inhale Q1timestamp_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1timestamp_V1 = tsT_V1 + Q1timestamp_V1 := tsT_V1 + + // init Q1mac1I_V1 + inhale Q1mac1I_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1mac1I_V1 = mac1T_V1 + Q1mac1I_V1 := mac1T_V1 + + // init Q1mac2I_V1 + inhale Q1mac2I_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q1mac2I_V1 = mac2T_V1 + Q1mac2I_V1 := mac2T_V1 + + // init l_V1 + inhale l_V1 == Multiset[D$226445f2_3e61b158_]() + + // l_V1 = InternalInit1L_d2674021_F(Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1) + l_V1 := InternalInit1L_d2674021_F(Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1) + + // init aM_V1 + inhale aM_V1 == Multiset[D$46be403b_2716b91c_]() + + // aM_V1 = InternalInit1A_d2674021_F(Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1) + aM_V1 := InternalInit1A_d2674021_F(Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1) + + // init r_V1 + inhale r_V1 == Multiset[D$226445f2_3e61b158_]() + + // r_V1 = InternalInit1R_d2674021_F(Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1) + r_V1 := InternalInit1R_d2674021_F(Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1) + + // N109 = internBIO_e_Handshake_St_Init_1_c0f0ff6b_F(t1_V0_CN11, Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1, l_V1, aM_V1, r_V1) + N109 := internBIO_e_Handshake_St_Init_1_c0f0ff6b_F(t1_V0_CN11, Q1sidI_V1, Q1a_V1, Q1b_V1, Q1prologue_V1, Q1info_V1, Q1kI_V1, Q1pkR_V1, Q1psk_V1, Q1ekI_V1, Q1timestamp_V1, Q1mac1I_V1, Q1mac2I_V1, l_V1, aM_V1, r_V1) + + // t1_V0_CN11 = N109 + t1_V0_CN11 := N109 + + // s1_V0_CN12 = U_3e61b158_F(l_V1, r_V1, s1_V0_CN12) + s1_V0_CN12 := U_3e61b158_F(l_V1, r_V1, s1_V0_CN12) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // unfold acc(phiRG_Init_5_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12)) + unfold acc(phiRG_Init_5_c0f0ff6b_F(t1_V0_CN11, rid_V1, s1_V0_CN12), write) + + // init packetTerm_V1 + inhale packetTerm_V1 == dfltD$9084e2f5_1186dc0d_() + + // packetTerm_V1 = Term_M1_35781e6d_F(rid_V1, ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8, tsT_V1, mac1T_V1, mac2T_V1) + packetTerm_V1 := Term_M1_35781e6d_F(rid_V1, ltkT_V0_CN3, ltpkT_V0_CN4, ekiT_V0_CN8, tsT_V1, mac1T_V1, mac2T_V1) + + // assert 0 < OutFact_Init_3e61b158_F(rid_V1, packetTerm_V1) in s1_V0_CN12 + assert 0 < ((OutFact_Init_3e61b158_F(rid_V1, packetTerm_V1) in s1_V0_CN12)) + + // N113, N114 = &*initiator_V0_CN0.LibStateASend(packet_V1, t1_V0_CN11, rid_V1, packetTerm_V1) + N113, N114 := Send_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, t1_V0_CN11, rid_V1, packetTerm_V1) + + // ok_V0_CN7 = N113 + ok_V0_CN7 := N113 + + // t1_V0_CN11 = N114 + t1_V0_CN11 := N114 + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/4) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 4) + + // s1_V0_CN12 = s1_V0_CN12 setminus mset[Fact_3e61b158_T] { OutFact_Init_3e61b158_F(rid_V1, packetTerm_V1) } + s1_V0_CN12 := (s1_V0_CN12 setminus Multiset(OutFact_Init_3e61b158_F(rid_V1, packetTerm_V1))) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN7 + ok_V0 := ok_V0_CN7 + + // ekiT_V0 = ekiT_V0_CN8 + ekiT_V0 := ekiT_V0_CN8 + + // c3T_V0 = c3T_V0_CN9 + c3T_V0 := c3T_V0_CN9 + + // h4T_V0 = h4T_V0_CN10 + h4T_V0 := h4T_V0_CN10 + + // t1_V0 = t1_V0_CN11 + t1_V0 := t1_V0_CN11 + + // s1_V0 = s1_V0_CN12 + s1_V0 := s1_V0_CN12 +} + +method createRequest_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], newPk_V0: Slice[Ref], newTs_V0: Slice[Ref]) returns (request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) && (true && acc((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(hs_V0): Ref).val$_Int, write) && acc((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref, write)) + requires acc(Mem_c7a67a88_F(newPk_V0), write) && Size_c7a67a88_F(newPk_V0) == 32 && acc(Mem_c7a67a88_F(newTs_V0), write) && Size_c7a67a88_F(newTs_V0) == 12 + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) + ensures ok_V0 ==> acc(HandshakeMem_1605c048_F(hs_V0), write) && acc(RequestMem_c7a67a88_F(request_V0), write) + ensures ok_V0 ==> RequestAbs_c7a67a88_F(request_V0) == Bytes_M1_35781e6d_F(getSidI_1605c048_F(initiator_V0), getKI_1605c048_F(initiator_V0), getPkR_1605c048_F(initiator_V0), old(Abs_c7a67a88_F(newPk_V0)), old(Abs_c7a67a88_F(newTs_V0)), zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)) + ensures ok_V0 ==> getNHash_1605c048_F(hs_V0) == Bytes_h4_35781e6d_F(getKI_1605c048_F(initiator_V0), getPkR_1605c048_F(initiator_V0), old(Abs_c7a67a88_F(newPk_V0)), old(Abs_c7a67a88_F(newTs_V0))) + ensures ok_V0 ==> getNKey_1605c048_F(hs_V0) == Bytes_c3_35781e6d_F(getKI_1605c048_F(initiator_V0), getPkR_1605c048_F(initiator_V0), old(Abs_c7a67a88_F(newPk_V0))) + ensures ok_V0 ==> getEkI_1605c048_F(hs_V0) == old(Abs_c7a67a88_F(newPk_V0)) +{ + inhale request_V0 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + inhale ok_V0 == false + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, newPk_V0_CN2: ByteString_c7a67a88_T°, newTs_V0_CN3: ByteString_c7a67a88_T°, request_V0_CN4: *Request_c7a67a88_T°, ok_V0_CN5: bool° + var ok_V0_CN5: Bool + var request_V0_CN4: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var newTs_V0_CN3: Slice[Ref] + var newPk_V0_CN2: Slice[Ref] + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init newPk_V0_CN2 + inhale newPk_V0_CN2 == sliceDefault_Intbyte$$$_S_$$$() + + // init newTs_V0_CN3 + inhale newTs_V0_CN3 == sliceDefault_Intbyte$$$_S_$$$() + + // init request_V0_CN4 + inhale request_V0_CN4 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init ok_V0_CN5 + inhale ok_V0_CN5 == false + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // newPk_V0_CN2 = newPk_V0 + newPk_V0_CN2 := newPk_V0 + + // newTs_V0_CN3 = newTs_V0 + newTs_V0_CN3 := newTs_V0 + + // decl args_V1: *HandshakeArguments_c7a67a88_T°, kI_V1: Bytes_b3aa12e7_T°, pkR_V1: Bytes_b3aa12e7_T°, ekI_V1: Bytes_b3aa12e7_T°, ts_V1: Bytes_b3aa12e7_T°, N34: ByteString_c7a67a88_T°, N35: ByteString_c7a67a88_T°, N38: ByteString_c7a67a88_T°, N39: ByteString_c7a67a88_T°, N42: ByteString_c7a67a88_T°, publicEphemeral_V1: ByteString_c7a67a88_T°, N49: ByteString_c7a67a88_T°, ss_V1: ByteString_c7a67a88_T°, N51: ByteString_c7a67a88_T°, key_V1: ByteString_c7a67a88_T°, N56: ByteString_c7a67a88_T°, N57: ByteString_c7a67a88_T°, N58: bool°, encryptedStaticPk_V1: ByteString_c7a67a88_T°, N63: ByteString_c7a67a88_T°, sharedStatic_V1: ByteString_c7a67a88_T°, N69: ByteString_c7a67a88_T°, N70: ByteString_c7a67a88_T°, N71: bool°, timestamp_V1: ByteString_c7a67a88_T°, N74: *Request_c7a67a88_T° + var N74: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var timestamp_V1: Slice[Ref] + var N71: Bool + var N70: Slice[Ref] + var N69: Slice[Ref] + var sharedStatic_V1: Slice[Ref] + var N63: Slice[Ref] + var encryptedStaticPk_V1: Slice[Ref] + var N58: Bool + var N57: Slice[Ref] + var N56: Slice[Ref] + var key_V1: Slice[Ref] + var N51: Slice[Ref] + var ss_V1: Slice[Ref] + var N49: Slice[Ref] + var publicEphemeral_V1: Slice[Ref] + var N42: Slice[Ref] + var N39: Slice[Ref] + var N38: Slice[Ref] + var N35: Slice[Ref] + var N34: Slice[Ref] + var ts_V1: D$8d64a7ad_b3aa12e7_ + var ekI_V1: D$8d64a7ad_b3aa12e7_ + var pkR_V1: D$8d64a7ad_b3aa12e7_ + var kI_V1: D$8d64a7ad_b3aa12e7_ + var args_V1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // init args_V1 + inhale args_V1 == shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // args_V1 = &*initiator_V0_CN0.HandshakeInfoA + args_V1 := (ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref]) + + // unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // init kI_V1 + inhale kI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // kI_V1 = Abs_c7a67a88_F(*args_V1.PrivateKeyA) + kI_V1 := Abs_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref) + + // init pkR_V1 + inhale pkR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // pkR_V1 = Abs_c7a67a88_F(*args_V1.RemoteStaticA) + pkR_V1 := Abs_c7a67a88_F((ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // init ekI_V1 + inhale ekI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // ekI_V1 = Abs_c7a67a88_F(newPk_V0_CN2) + ekI_V1 := Abs_c7a67a88_F(newPk_V0_CN2) + + // init ts_V1 + inhale ts_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // ts_V1 = Abs_c7a67a88_F(newTs_V0_CN3) + ts_V1 := Abs_c7a67a88_F(newTs_V0_CN3) + + // N34 = WireGuardBytes_c7a67a88_F() + N34 := WireGuardBytes_c7a67a88_F() + + // N35 = ComputeSingleHash_c7a67a88_F(N34) + N35 := ComputeSingleHash_c7a67a88_F(N34) + + // *hs_V0_CN1.ChainKeyA = N35 + (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref := N35 + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) == Bytes_c0_35781e6d_F() + assert Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_c0_35781e6d_F() + + // N38 = NewByteString_c7a67a88_F(32) + N38 := NewByteString_c7a67a88_F(32) + + // *hs_V0_CN1.ChainHashA = N38 + (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref := N38 + + // N39 = PreludeBytes_c7a67a88_F() + N39 := PreludeBytes_c7a67a88_F() + + // ComputeHash_c7a67a88_F(*hs_V0_CN1.ChainHashA, *hs_V0_CN1.ChainKeyA, N39) + ComputeHash_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, N39) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) == Bytes_h0_35781e6d_F() + assert Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_h0_35781e6d_F() + + // *hs_V0_CN1.LocalEphemeralA = newPk_V0_CN2 + (ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref := newPk_V0_CN2 + + // N42 = PublicKey_c7a67a88_F(*hs_V0_CN1.LocalEphemeralA) + N42 := PublicKey_c7a67a88_F((ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init publicEphemeral_V1 + inhale publicEphemeral_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // publicEphemeral_V1 = N42 + publicEphemeral_V1 := N42 + + // ComputeHashInplace_c7a67a88_F(*hs_V0_CN1.ChainHashA, *args_V1.RemoteStaticA) + ComputeHashInplace_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) == Bytes_h1_35781e6d_F(pkR_V1) + assert Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_h1_35781e6d_F(pkR_V1) + + // ComputeKDF1Inplace_c7a67a88_F(*hs_V0_CN1.ChainKeyA, publicEphemeral_V1) + ComputeKDF1Inplace_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, publicEphemeral_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) == Bytes_c1_35781e6d_F(ekI_V1) + assert Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_c1_35781e6d_F(ekI_V1) + + // ComputeHashInplace_c7a67a88_F(*hs_V0_CN1.ChainHashA, publicEphemeral_V1) + ComputeHashInplace_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, publicEphemeral_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) == Bytes_h2_35781e6d_F(pkR_V1, ekI_V1) + assert Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_h2_35781e6d_F(pkR_V1, ekI_V1) + + // N49 = ComputeSharedSecret_c7a67a88_F(*hs_V0_CN1.LocalEphemeralA, *args_V1.RemoteStaticA) + N49 := ComputeSharedSecret_c7a67a88_F((ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // init ss_V1 + inhale ss_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ss_V1 = N49 + ss_V1 := N49 + + // decl N50: bool° + var N50: Bool + + // N50 = IsZero_c7a67a88_F(ss_V1) + N50 := IsZero_c7a67a88_F(ss_V1) + + // if(N50) {...} else {...} + if (N50) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // request_V0_CN4 = (nil:*Request_c7a67a88_T) + request_V0_CN4 := shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // ok_V0_CN5 = false + ok_V0_CN5 := false + + // return + goto returnLabel + } + + // N51 = NewByteString_c7a67a88_F(32) + N51 := NewByteString_c7a67a88_F(32) + + // init key_V1 + inhale key_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // key_V1 = N51 + key_V1 := N51 + + // ComputeKDF2Inplace_c7a67a88_F(key_V1, *hs_V0_CN1.ChainKeyA, ss_V1) + ComputeKDF2Inplace_c7a67a88_F(key_V1, (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, ss_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) == Bytes_c2_35781e6d_F(pkR_V1, ekI_V1) + assert Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_c2_35781e6d_F(pkR_V1, ekI_V1) + + // assert Abs_c7a67a88_F(key_V1) == Bytes_k1_35781e6d_F(pkR_V1, ekI_V1) + assert Abs_c7a67a88_F(key_V1) == Bytes_k1_35781e6d_F(pkR_V1, ekI_V1) + + // N56 = ZeroNonce_c7a67a88_F() + N56 := ZeroNonce_c7a67a88_F() + + // N57, N58 = AeadEnc_c7a67a88_F(key_V1, N56, *args_V1.LocalStaticA, *hs_V0_CN1.ChainHashA) + N57, N58 := AeadEnc_c7a67a88_F(key_V1, N56, (ShStructget3of5(args_V1): Ref).val$_Slice_Ref, (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init encryptedStaticPk_V1 + inhale encryptedStaticPk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // encryptedStaticPk_V1 = N57 + encryptedStaticPk_V1 := N57 + + // ok_V0_CN5 = N58 + ok_V0_CN5 := N58 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // assert Abs_c7a67a88_F(encryptedStaticPk_V1) == Bytes_c_pkI_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + assert Abs_c7a67a88_F(encryptedStaticPk_V1) == Bytes_c_pkI_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + + // ComputeHashInplace_c7a67a88_F(*hs_V0_CN1.ChainHashA, encryptedStaticPk_V1) + ComputeHashInplace_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, encryptedStaticPk_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) == Bytes_h3_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + assert Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_h3_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + + // N63 = ComputeSharedSecret_c7a67a88_F(*args_V1.PrivateKeyA, *args_V1.RemoteStaticA) + N63 := ComputeSharedSecret_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref, (ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // init sharedStatic_V1 + inhale sharedStatic_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // sharedStatic_V1 = N63 + sharedStatic_V1 := N63 + + // decl N64: bool° + var N64: Bool + + // N64 = IsZero_c7a67a88_F(sharedStatic_V1) + N64 := IsZero_c7a67a88_F(sharedStatic_V1) + + // if(N64) {...} else {...} + if (N64) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // request_V0_CN4 = (nil:*Request_c7a67a88_T) + request_V0_CN4 := shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // ok_V0_CN5 = false + ok_V0_CN5 := false + + // return + goto returnLabel + } + + // ComputeKDF2Inplace_c7a67a88_F(key_V1, *hs_V0_CN1.ChainKeyA, sharedStatic_V1) + ComputeKDF2Inplace_c7a67a88_F(key_V1, (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, sharedStatic_V1) + + // assert Abs_c7a67a88_F(key_V1) == Bytes_k2_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + assert Abs_c7a67a88_F(key_V1) == Bytes_k2_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) == Bytes_c3_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + assert Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_c3_35781e6d_F(kI_V1, pkR_V1, ekI_V1) + + // N69 = ZeroNonce_c7a67a88_F() + N69 := ZeroNonce_c7a67a88_F() + + // N70, N71 = AeadEnc_c7a67a88_F(key_V1, N69, newTs_V0_CN3, *hs_V0_CN1.ChainHashA) + N70, N71 := AeadEnc_c7a67a88_F(key_V1, N69, newTs_V0_CN3, (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init timestamp_V1 + inhale timestamp_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // timestamp_V1 = N70 + timestamp_V1 := N70 + + // ok_V0_CN5 = N71 + ok_V0_CN5 := N71 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // assert Abs_c7a67a88_F(timestamp_V1) == Bytes_c_ts_35781e6d_F(kI_V1, pkR_V1, ekI_V1, ts_V1) + assert Abs_c7a67a88_F(timestamp_V1) == Bytes_c_ts_35781e6d_F(kI_V1, pkR_V1, ekI_V1, ts_V1) + + // N74 = new(Request_c7a67a88_T{1, *args_V1.LocalIndexA, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, dflt[ByteString_c7a67a88_T], dflt[ByteString_c7a67a88_T]}) + var fn$$0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of7(fn$$0): Ref).val$_Int, write) && acc((ShStructget1of7(fn$$0): Ref).val$_Int, write) && acc((ShStructget2of7(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of7(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of7(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget5of7(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget6of7(fn$$0): Ref).val$_Slice_Ref, write) && (true && (ShStructget0of7(fn$$0): Ref).val$_Int == (get0of7((tuple7(1, (ShStructget2of5(args_V1): Ref).val$_Int, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Int) && (ShStructget1of7(fn$$0): Ref).val$_Int == (get1of7((tuple7(1, (ShStructget2of5(args_V1): Ref).val$_Int, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Int) && (ShStructget2of7(fn$$0): Ref).val$_Slice_Ref == (get2of7((tuple7(1, (ShStructget2of5(args_V1): Ref).val$_Int, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref]) && (ShStructget3of7(fn$$0): Ref).val$_Slice_Ref == (get3of7((tuple7(1, (ShStructget2of5(args_V1): Ref).val$_Int, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref]) && (ShStructget4of7(fn$$0): Ref).val$_Slice_Ref == (get4of7((tuple7(1, (ShStructget2of5(args_V1): Ref).val$_Int, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref]) && (ShStructget5of7(fn$$0): Ref).val$_Slice_Ref == (get5of7((tuple7(1, (ShStructget2of5(args_V1): Ref).val$_Int, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref]) && (ShStructget6of7(fn$$0): Ref).val$_Slice_Ref == (get6of7((tuple7(1, (ShStructget2of5(args_V1): Ref).val$_Int, publicEphemeral_V1, encryptedStaticPk_V1, timestamp_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref])) + N74 := fn$$0 + + // request_V0_CN4 = N74 + request_V0_CN4 := N74 + + // ComputeHashInplace_c7a67a88_F(*hs_V0_CN1.ChainHashA, timestamp_V1) + ComputeHashInplace_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, timestamp_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) == Bytes_h4_35781e6d_F(kI_V1, pkR_V1, ekI_V1, ts_V1) + assert Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_h4_35781e6d_F(kI_V1, pkR_V1, ekI_V1, ts_V1) + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // fold acc(RequestMem_c7a67a88_F(request_V0_CN4)) + fold acc(RequestMem_c7a67a88_F(request_V0_CN4), write) + + // fold acc(HandshakeMem_1605c048_F(hs_V0_CN1)) + fold acc(HandshakeMem_1605c048_F(hs_V0_CN1), write) + + // return + goto returnLabel + label returnLabel + + // request_V0 = request_V0_CN4 + request_V0 := request_V0_CN4 + + // ok_V0 = ok_V0_CN5 + ok_V0 := ok_V0_CN5 +} + +method receiveResponse_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], pskT_V0: D$9084e2f5_1186dc0d_, ltkT_V0: D$9084e2f5_1186dc0d_, ltpkT_V0: D$9084e2f5_1186dc0d_, ekiT_V0: D$9084e2f5_1186dc0d_, c3T_V0: D$9084e2f5_1186dc0d_, h4T_V0: D$9084e2f5_1186dc0d_, t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, sidRT_V0: D$9084e2f5_1186dc0d_, c7T_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 4) && acc(HandshakeMem_1605c048_F(hs_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, getRid_1605c048_PMInitiator(initiator_V0), s_V0), write) + requires 0 < ((St_Init_1_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), ltkT_V0, ltpkT_V0, ekiT_V0, pskT_V0, c3T_V0, h4T_V0) in s_V0)) + requires getPsk_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(pskT_V0) + requires getKI_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltkT_V0) + requires getPkR_1605c048_F(initiator_V0) == gamma_b3aa12e7_F(ltpkT_V0) + requires getEkI_1605c048_F(hs_V0) == gamma_b3aa12e7_F(ekiT_V0) + requires getNKey_1605c048_F(hs_V0) == gamma_b3aa12e7_F(c3T_V0) + requires getNHash_1605c048_F(hs_V0) == gamma_b3aa12e7_F(h4T_V0) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 4) && acc(HandshakeMem_1605c048_F(hs_V0), write) + ensures getEkI_1605c048_F(hs_V0) == old(getEkI_1605c048_F(hs_V0)) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, getRid_1605c048_PMInitiator(initiator_V0), s1_V0), write) + ensures ok_V0 ==> 0 < ((St_Init_2_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kdf1__d2674021_F(c7T_V0), kdf2__d2674021_F(c7T_V0)) in s1_V0)) + ensures ok_V0 ==> getNKey_1605c048_F(hs_V0) == gamma_b3aa12e7_F(c7T_V0) && getSidR_1605c048_F(hs_V0) == gamma_b3aa12e7_F(sidRT_V0) +{ + inhale ok_V0 == false + inhale sidRT_V0 == dfltD$9084e2f5_1186dc0d_() + inhale c7T_V0 == dfltD$9084e2f5_1186dc0d_() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, pskT_V0_CN2: Term_1186dc0d_T°, ltkT_V0_CN3: Term_1186dc0d_T°, ltpkT_V0_CN4: Term_1186dc0d_T°, ekiT_V0_CN5: Term_1186dc0d_T°, c3T_V0_CN6: Term_1186dc0d_T°, h4T_V0_CN7: Term_1186dc0d_T°, t_V0_CN8: Place_c3672ae3_T°, s_V0_CN9: mset[Fact_3e61b158_T]°, ok_V0_CN10: bool°, sidRT_V0_CN11: Term_1186dc0d_T°, c7T_V0_CN12: Term_1186dc0d_T°, t1_V0_CN13: Place_c3672ae3_T°, s1_V0_CN14: mset[Fact_3e61b158_T]° + var s1_V0_CN14: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN13: D$fe170ee1_c3672ae3_ + var c7T_V0_CN12: D$9084e2f5_1186dc0d_ + var sidRT_V0_CN11: D$9084e2f5_1186dc0d_ + var ok_V0_CN10: Bool + var s_V0_CN9: Multiset[D$226445f2_3e61b158_] + var t_V0_CN8: D$fe170ee1_c3672ae3_ + var h4T_V0_CN7: D$9084e2f5_1186dc0d_ + var c3T_V0_CN6: D$9084e2f5_1186dc0d_ + var ekiT_V0_CN5: D$9084e2f5_1186dc0d_ + var ltpkT_V0_CN4: D$9084e2f5_1186dc0d_ + var ltkT_V0_CN3: D$9084e2f5_1186dc0d_ + var pskT_V0_CN2: D$9084e2f5_1186dc0d_ + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init pskT_V0_CN2 + inhale pskT_V0_CN2 == dfltD$9084e2f5_1186dc0d_() + + // init ltkT_V0_CN3 + inhale ltkT_V0_CN3 == dfltD$9084e2f5_1186dc0d_() + + // init ltpkT_V0_CN4 + inhale ltpkT_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init ekiT_V0_CN5 + inhale ekiT_V0_CN5 == dfltD$9084e2f5_1186dc0d_() + + // init c3T_V0_CN6 + inhale c3T_V0_CN6 == dfltD$9084e2f5_1186dc0d_() + + // init h4T_V0_CN7 + inhale h4T_V0_CN7 == dfltD$9084e2f5_1186dc0d_() + + // init t_V0_CN8 + inhale t_V0_CN8 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN9 + inhale s_V0_CN9 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN10 + inhale ok_V0_CN10 == false + + // init sidRT_V0_CN11 + inhale sidRT_V0_CN11 == dfltD$9084e2f5_1186dc0d_() + + // init c7T_V0_CN12 + inhale c7T_V0_CN12 == dfltD$9084e2f5_1186dc0d_() + + // init t1_V0_CN13 + inhale t1_V0_CN13 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN14 + inhale s1_V0_CN14 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // pskT_V0_CN2 = pskT_V0 + pskT_V0_CN2 := pskT_V0 + + // ltkT_V0_CN3 = ltkT_V0 + ltkT_V0_CN3 := ltkT_V0 + + // ltpkT_V0_CN4 = ltpkT_V0 + ltpkT_V0_CN4 := ltpkT_V0 + + // ekiT_V0_CN5 = ekiT_V0 + ekiT_V0_CN5 := ekiT_V0 + + // c3T_V0_CN6 = c3T_V0 + c3T_V0_CN6 := c3T_V0 + + // h4T_V0_CN7 = h4T_V0 + h4T_V0_CN7 := h4T_V0 + + // t_V0_CN8 = t_V0 + t_V0_CN8 := t_V0 + + // s_V0_CN9 = s_V0 + s_V0_CN9 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, N58: ByteString_c7a67a88_T°, N59: bool°, N60: Term_1186dc0d_T°, N61: Place_c3672ae3_T°, packet_V1: ByteString_c7a67a88_T°, term_V1: Term_1186dc0d_T°, recvB_V1: Bytes_b3aa12e7_T°, N64: *Response_c7a67a88_T°, N65: bool°, response_V1: *Response_c7a67a88_T°, BeforeConsume_L, N66: bool° + var N66: Bool + var response_V1: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var N65: Bool + var N64: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var recvB_V1: D$8d64a7ad_b3aa12e7_ + var term_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N61: D$fe170ee1_c3672ae3_ + var N60: D$9084e2f5_1186dc0d_ + var N59: Bool + var N58: Slice[Ref] + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = initiator_V0_CN0.getRid() + rid_V1 := getRid_1605c048_PMInitiator(initiator_V0_CN0) + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9), write) + + // unfold acc(phiRF_Init_12_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9)) + unfold acc(phiRF_Init_12_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9), write) + + // assert acc(e_InFact_c0f0ff6b_F(t_V0_CN8, rid_V1)) + assert acc(e_InFact_c0f0ff6b_F(t_V0_CN8, rid_V1), write) + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/4) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 4) + + // N58, N59, N60, N61 = &*initiator_V0_CN0.LibStateAReceive(t_V0_CN8, rid_V1) + N58, N59, N60, N61 := Receive_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), t_V0_CN8, rid_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // init term_V1 + inhale term_V1 == dfltD$9084e2f5_1186dc0d_() + + // packet_V1 = N58 + packet_V1 := N58 + + // ok_V0_CN10 = N59 + ok_V0_CN10 := N59 + + // term_V1 = N60 + term_V1 := N60 + + // t1_V0_CN13 = N61 + t1_V0_CN13 := N61 + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/4) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 4) + + // if(!ok_V0_CN10) {...} else {...} + if (!ok_V0_CN10) { + + // decl + + // return + goto returnLabel + } + + // init recvB_V1 + inhale recvB_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // recvB_V1 = Abs_c7a67a88_F(packet_V1) + recvB_V1 := Abs_c7a67a88_F(packet_V1) + + // s1_V0_CN14 = s_V0_CN9 union mset[Fact_3e61b158_T] { InFact_Init_3e61b158_F(rid_V1, term_V1) } + s1_V0_CN14 := (s_V0_CN9 union Multiset(InFact_Init_3e61b158_F(rid_V1, term_V1))) + + // N64, N65 = UnmarshalResponse_c7a67a88_F(packet_V1) + N64, N65 := UnmarshalResponse_c7a67a88_F(packet_V1) + + // init response_V1 + inhale response_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_EmptyA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // response_V1 = N64 + response_V1 := N64 + + // ok_V0_CN10 = N65 + ok_V0_CN10 := N65 + + // if(!ok_V0_CN10) {...} else {...} + if (!ok_V0_CN10) { + + // decl + + // return + goto returnLabel + } + + // BeforeConsume_L + label BeforeConsume_L + + // N66 = initiator_V0_CN0consumeResponse(hs_V0_CN1, response_V1) + N66 := consumeResponse_1605c048_PMInitiator(initiator_V0_CN0, hs_V0_CN1, response_V1) + + // ok_V0_CN10 = N66 + ok_V0_CN10 := N66 + + // if(!ok_V0_CN10) {...} else {...} + if (!ok_V0_CN10) { + + // decl + + // return + goto returnLabel + } + + // if(ok_V0_CN10) {...} else {...} + if (ok_V0_CN10) { + + // decl pp_V2: Term_1186dc0d_T°, sidI_V2: Bytes_b3aa12e7_T°, kI_V2: Bytes_b3aa12e7_T°, pkR_V2: Bytes_b3aa12e7_T°, psk_V2: Bytes_b3aa12e7_T°, ekI_V2: Bytes_b3aa12e7_T°, c3_V2: Bytes_b3aa12e7_T°, h4_V2: Bytes_b3aa12e7_T°, sidR_V2: Bytes_b3aa12e7_T°, epkR_V2: Bytes_b3aa12e7_T°, mac1_V2: Bytes_b3aa12e7_T°, mac2_V2: Bytes_b3aa12e7_T°, sidRX_V2: Term_1186dc0d_T°, epkRX_V2: Term_1186dc0d_T°, mac1X_V2: Term_1186dc0d_T°, mac2X_V2: Term_1186dc0d_T°, N97: Term_1186dc0d_T°, N98: Term_1186dc0d_T°, N99: Term_1186dc0d_T°, N100: Term_1186dc0d_T°, cEmpty_V2: Term_1186dc0d_T°, kIR_V2: Bytes_b3aa12e7_T°, kRI_V2: Bytes_b3aa12e7_T°, kirT_V2: Term_1186dc0d_T°, kriT_V2: Term_1186dc0d_T°, Q2sidI_V2: Term_1186dc0d_T°, Q2a_V2: Term_1186dc0d_T°, Q2b_V2: Term_1186dc0d_T°, Q2prologue_V2: Term_1186dc0d_T°, Q2info_V2: Term_1186dc0d_T°, Q2kI_V2: Term_1186dc0d_T°, Q2pkR_V2: Term_1186dc0d_T°, Q2ekI_V2: Term_1186dc0d_T°, Q2psk_V2: Term_1186dc0d_T°, Q2c3_V2: Term_1186dc0d_T°, Q2h4_V2: Term_1186dc0d_T°, Q2sidR_V2: Term_1186dc0d_T°, Q2epkR_V2: Term_1186dc0d_T°, Q2mac1R_V2: Term_1186dc0d_T°, Q2mac2R_V2: Term_1186dc0d_T°, l_V2: mset[Fact_3e61b158_T]°, aM_V2: mset[Claim_2716b91c_T]°, r_V2: mset[Fact_3e61b158_T]°, N117: Place_c3672ae3_T° + var N117: D$fe170ee1_c3672ae3_ + var r_V2: Multiset[D$226445f2_3e61b158_] + var aM_V2: Multiset[D$46be403b_2716b91c_] + var l_V2: Multiset[D$226445f2_3e61b158_] + var Q2mac2R_V2: D$9084e2f5_1186dc0d_ + var Q2mac1R_V2: D$9084e2f5_1186dc0d_ + var Q2epkR_V2: D$9084e2f5_1186dc0d_ + var Q2sidR_V2: D$9084e2f5_1186dc0d_ + var Q2h4_V2: D$9084e2f5_1186dc0d_ + var Q2c3_V2: D$9084e2f5_1186dc0d_ + var Q2psk_V2: D$9084e2f5_1186dc0d_ + var Q2ekI_V2: D$9084e2f5_1186dc0d_ + var Q2pkR_V2: D$9084e2f5_1186dc0d_ + var Q2kI_V2: D$9084e2f5_1186dc0d_ + var Q2info_V2: D$9084e2f5_1186dc0d_ + var Q2prologue_V2: D$9084e2f5_1186dc0d_ + var Q2b_V2: D$9084e2f5_1186dc0d_ + var Q2a_V2: D$9084e2f5_1186dc0d_ + var Q2sidI_V2: D$9084e2f5_1186dc0d_ + var kriT_V2: D$9084e2f5_1186dc0d_ + var kirT_V2: D$9084e2f5_1186dc0d_ + var kRI_V2: D$8d64a7ad_b3aa12e7_ + var kIR_V2: D$8d64a7ad_b3aa12e7_ + var cEmpty_V2: D$9084e2f5_1186dc0d_ + var N100: D$9084e2f5_1186dc0d_ + var N99: D$9084e2f5_1186dc0d_ + var N98: D$9084e2f5_1186dc0d_ + var N97: D$9084e2f5_1186dc0d_ + var mac2X_V2: D$9084e2f5_1186dc0d_ + var mac1X_V2: D$9084e2f5_1186dc0d_ + var epkRX_V2: D$9084e2f5_1186dc0d_ + var sidRX_V2: D$9084e2f5_1186dc0d_ + var mac2_V2: D$8d64a7ad_b3aa12e7_ + var mac1_V2: D$8d64a7ad_b3aa12e7_ + var epkR_V2: D$8d64a7ad_b3aa12e7_ + var sidR_V2: D$8d64a7ad_b3aa12e7_ + var h4_V2: D$8d64a7ad_b3aa12e7_ + var c3_V2: D$8d64a7ad_b3aa12e7_ + var ekI_V2: D$8d64a7ad_b3aa12e7_ + var psk_V2: D$8d64a7ad_b3aa12e7_ + var pkR_V2: D$8d64a7ad_b3aa12e7_ + var kI_V2: D$8d64a7ad_b3aa12e7_ + var sidI_V2: D$8d64a7ad_b3aa12e7_ + var pp_V2: D$9084e2f5_1186dc0d_ + + // init pp_V2 + inhale pp_V2 == dfltD$9084e2f5_1186dc0d_() + + // pp_V2 = initiator_V0_CN0.getPP() + pp_V2 := getPP_1605c048_PMInitiator(initiator_V0_CN0) + + // init sidI_V2 + inhale sidI_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // sidI_V2 = old(getSidI_1605c048_F(initiator_V0_CN0)) + sidI_V2 := old(getSidI_1605c048_F(initiator_V0_CN0)) + + // init kI_V2 + inhale kI_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // kI_V2 = old(getKI_1605c048_F(initiator_V0_CN0)) + kI_V2 := old(getKI_1605c048_F(initiator_V0_CN0)) + + // init pkR_V2 + inhale pkR_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // pkR_V2 = old(getPkR_1605c048_F(initiator_V0_CN0)) + pkR_V2 := old(getPkR_1605c048_F(initiator_V0_CN0)) + + // init psk_V2 + inhale psk_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // psk_V2 = old(getPsk_1605c048_F(initiator_V0_CN0)) + psk_V2 := old(getPsk_1605c048_F(initiator_V0_CN0)) + + // init ekI_V2 + inhale ekI_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // ekI_V2 = old(getEkI_1605c048_F(hs_V0_CN1)) + ekI_V2 := old(getEkI_1605c048_F(hs_V0_CN1)) + + // init c3_V2 + inhale c3_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // c3_V2 = old(getNKey_1605c048_F(hs_V0_CN1)) + c3_V2 := old(getNKey_1605c048_F(hs_V0_CN1)) + + // init h4_V2 + inhale h4_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // h4_V2 = old(getNHash_1605c048_F(hs_V0_CN1)) + h4_V2 := old(getNHash_1605c048_F(hs_V0_CN1)) + + // init sidR_V2 + inhale sidR_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // sidR_V2 = getSidR_1605c048_F(hs_V0_CN1) + sidR_V2 := getSidR_1605c048_F(hs_V0_CN1) + + // init epkR_V2 + inhale epkR_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // epkR_V2 = old[BeforeConsume_L](ResponseEpkR_c7a67a88_F(response_V1)) + epkR_V2 := old[BeforeConsume_L](ResponseEpkR_c7a67a88_F(response_V1)) + + // init mac1_V2 + inhale mac1_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // mac1_V2 = old[BeforeConsume_L](ResponseMac1_c7a67a88_F(response_V1)) + mac1_V2 := old[BeforeConsume_L](ResponseMac1_c7a67a88_F(response_V1)) + + // init mac2_V2 + inhale mac2_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // mac2_V2 = old[BeforeConsume_L](ResponseMac2_c7a67a88_F(response_V1)) + mac2_V2 := old[BeforeConsume_L](ResponseMac2_c7a67a88_F(response_V1)) + + // assert recvB_V1 == Bytes_M2_35781e6d_F(sidI_V2, sidR_V2, kI_V2, psk_V2, ekI_V2, c3_V2, h4_V2, epkR_V2, mac1_V2, mac2_V2) + assert recvB_V1 == Bytes_M2_35781e6d_F(sidI_V2, sidR_V2, kI_V2, psk_V2, ekI_V2, c3_V2, h4_V2, epkR_V2, mac1_V2, mac2_V2) + + // assert getNKey_1605c048_F(hs_V0_CN1) == Bytes_c7_35781e6d_F(kI_V2, psk_V2, ekI_V2, c3_V2, epkR_V2) + assert getNKey_1605c048_F(hs_V0_CN1) == Bytes_c7_35781e6d_F(kI_V2, psk_V2, ekI_V2, c3_V2, epkR_V2) + + // assert getNKey_1605c048_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_c7_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, oneTerm_b3aa12e7_F(epkR_V2))) + assert getNKey_1605c048_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_c7_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, oneTerm_b3aa12e7_F(epkR_V2))) + + // init sidRX_V2 + inhale sidRX_V2 == dfltD$9084e2f5_1186dc0d_() + + // init epkRX_V2 + inhale epkRX_V2 == dfltD$9084e2f5_1186dc0d_() + + // init mac1X_V2 + inhale mac1X_V2 == dfltD$9084e2f5_1186dc0d_() + + // init mac2X_V2 + inhale mac2X_V2 == dfltD$9084e2f5_1186dc0d_() + + // sidRX_V2 = dflt[Term_1186dc0d_T] + sidRX_V2 := dfltD$9084e2f5_1186dc0d_() + + // epkRX_V2 = dflt[Term_1186dc0d_T] + epkRX_V2 := dfltD$9084e2f5_1186dc0d_() + + // mac1X_V2 = dflt[Term_1186dc0d_T] + mac1X_V2 := dfltD$9084e2f5_1186dc0d_() + + // mac2X_V2 = dflt[Term_1186dc0d_T] + mac2X_V2 := dfltD$9084e2f5_1186dc0d_() + + // assert gamma_b3aa12e7_F(term_V1) == gamma_b3aa12e7_F(Term_M2_35781e6d_F(rid_V1, oneTerm_b3aa12e7_F(sidR_V2), ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, oneTerm_b3aa12e7_F(epkR_V2), oneTerm_b3aa12e7_F(mac1_V2), oneTerm_b3aa12e7_F(mac2_V2))) + assert gamma_b3aa12e7_F(term_V1) == gamma_b3aa12e7_F(Term_M2_35781e6d_F(rid_V1, oneTerm_b3aa12e7_F(sidR_V2), ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, oneTerm_b3aa12e7_F(epkR_V2), oneTerm_b3aa12e7_F(mac1_V2), oneTerm_b3aa12e7_F(mac2_V2))) + + // N97, N98, N99, N100 = patternProperty1_8142c2d2_F(rid_V1, pp_V2, ltkT_V0_CN3, ltpkT_V0_CN4, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, oneTerm_b3aa12e7_F(sidR_V2), oneTerm_b3aa12e7_F(epkR_V2), oneTerm_b3aa12e7_F(mac1_V2), oneTerm_b3aa12e7_F(mac2_V2), term_V1, t1_V0_CN13, s1_V0_CN14) + N97, N98, N99, N100 := patternProperty1_8142c2d2_F(rid_V1, pp_V2, ltkT_V0_CN3, ltpkT_V0_CN4, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, oneTerm_b3aa12e7_F(sidR_V2), oneTerm_b3aa12e7_F(epkR_V2), oneTerm_b3aa12e7_F(mac1_V2), oneTerm_b3aa12e7_F(mac2_V2), term_V1, t1_V0_CN13, s1_V0_CN14) + + // sidRX_V2 = N97 + sidRX_V2 := N97 + + // epkRX_V2 = N98 + epkRX_V2 := N98 + + // mac1X_V2 = N99 + mac1X_V2 := N99 + + // mac2X_V2 = N100 + mac2X_V2 := N100 + + // assert term_V1 == Term_M2_35781e6d_F(rid_V1, sidRX_V2, ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, epkRX_V2, mac1X_V2, mac2X_V2) + assert term_V1 == Term_M2_35781e6d_F(rid_V1, sidRX_V2, ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, epkRX_V2, mac1X_V2, mac2X_V2) + + // init cEmpty_V2 + inhale cEmpty_V2 == dfltD$9084e2f5_1186dc0d_() + + // cEmpty_V2 = Term_c_empty_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, epkRX_V2) + cEmpty_V2 := Term_c_empty_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, h4T_V0_CN7, epkRX_V2) + + // init kIR_V2 + inhale kIR_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // kIR_V2 = Bytes_k_IR_35781e6d_F(kI_V2, psk_V2, ekI_V2, c3_V2, epkR_V2) + kIR_V2 := Bytes_k_IR_35781e6d_F(kI_V2, psk_V2, ekI_V2, c3_V2, epkR_V2) + + // init kRI_V2 + inhale kRI_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // kRI_V2 = Bytes_k_RI_35781e6d_F(kI_V2, psk_V2, ekI_V2, c3_V2, epkR_V2) + kRI_V2 := Bytes_k_RI_35781e6d_F(kI_V2, psk_V2, ekI_V2, c3_V2, epkR_V2) + + // sidRT_V0_CN11 = sidRX_V2 + sidRT_V0_CN11 := sidRX_V2 + + // assert getSidR_1605c048_F(hs_V0_CN1) == gamma_b3aa12e7_F(sidRT_V0_CN11) + assert getSidR_1605c048_F(hs_V0_CN1) == gamma_b3aa12e7_F(sidRT_V0_CN11) + + // c7T_V0_CN12 = Term_c7_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, epkRX_V2) + c7T_V0_CN12 := Term_c7_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, epkRX_V2) + + // init kirT_V2 + inhale kirT_V2 == dfltD$9084e2f5_1186dc0d_() + + // kirT_V2 = Term_k_IR_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, epkRX_V2) + kirT_V2 := Term_k_IR_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, epkRX_V2) + + // init kriT_V2 + inhale kriT_V2 == dfltD$9084e2f5_1186dc0d_() + + // kriT_V2 = Term_k_RI_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, epkRX_V2) + kriT_V2 := Term_k_RI_35781e6d_F(ltkT_V0_CN3, pskT_V0_CN2, ekiT_V0_CN5, c3T_V0_CN6, epkRX_V2) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN13, rid_V1, s1_V0_CN14)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN13, rid_V1, s1_V0_CN14), write) + + // unfold acc(phiR_Init_1_c0f0ff6b_F(t1_V0_CN13, rid_V1, s1_V0_CN14)) + unfold acc(phiR_Init_1_c0f0ff6b_F(t1_V0_CN13, rid_V1, s1_V0_CN14), write) + + // init Q2sidI_V2 + inhale Q2sidI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2sidI_V2 = rid_V1 + Q2sidI_V2 := rid_V1 + + // init Q2a_V2 + inhale Q2a_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2a_V2 = getFirst_d2674021_F(pp_V2) + Q2a_V2 := getFirst_d2674021_F(pp_V2) + + // init Q2b_V2 + inhale Q2b_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2b_V2 = getSecond_d2674021_F(pp_V2) + Q2b_V2 := getSecond_d2674021_F(pp_V2) + + // init Q2prologue_V2 + inhale Q2prologue_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2prologue_V2 = getThird_d2674021_F(pp_V2) + Q2prologue_V2 := getThird_d2674021_F(pp_V2) + + // init Q2info_V2 + inhale Q2info_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2info_V2 = getForth_d2674021_F(pp_V2) + Q2info_V2 := getForth_d2674021_F(pp_V2) + + // init Q2kI_V2 + inhale Q2kI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2kI_V2 = ltkT_V0_CN3 + Q2kI_V2 := ltkT_V0_CN3 + + // init Q2pkR_V2 + inhale Q2pkR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2pkR_V2 = ltpkT_V0_CN4 + Q2pkR_V2 := ltpkT_V0_CN4 + + // init Q2ekI_V2 + inhale Q2ekI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2ekI_V2 = ekiT_V0_CN5 + Q2ekI_V2 := ekiT_V0_CN5 + + // init Q2psk_V2 + inhale Q2psk_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2psk_V2 = pskT_V0_CN2 + Q2psk_V2 := pskT_V0_CN2 + + // init Q2c3_V2 + inhale Q2c3_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2c3_V2 = c3T_V0_CN6 + Q2c3_V2 := c3T_V0_CN6 + + // init Q2h4_V2 + inhale Q2h4_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2h4_V2 = h4T_V0_CN7 + Q2h4_V2 := h4T_V0_CN7 + + // init Q2sidR_V2 + inhale Q2sidR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2sidR_V2 = sidRX_V2 + Q2sidR_V2 := sidRX_V2 + + // init Q2epkR_V2 + inhale Q2epkR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2epkR_V2 = epkRX_V2 + Q2epkR_V2 := epkRX_V2 + + // init Q2mac1R_V2 + inhale Q2mac1R_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2mac1R_V2 = mac1X_V2 + Q2mac1R_V2 := mac1X_V2 + + // init Q2mac2R_V2 + inhale Q2mac2R_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q2mac2R_V2 = mac2X_V2 + Q2mac2R_V2 := mac2X_V2 + + // init l_V2 + inhale l_V2 == Multiset[D$226445f2_3e61b158_]() + + // l_V2 = InternalInit2L_d2674021_F(Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2) + l_V2 := InternalInit2L_d2674021_F(Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2) + + // init aM_V2 + inhale aM_V2 == Multiset[D$46be403b_2716b91c_]() + + // aM_V2 = InternalInit2A_d2674021_F(Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2) + aM_V2 := InternalInit2A_d2674021_F(Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2) + + // init r_V2 + inhale r_V2 == Multiset[D$226445f2_3e61b158_]() + + // r_V2 = InternalInit2R_d2674021_F(Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2) + r_V2 := InternalInit2R_d2674021_F(Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2) + + // N117 = internBIO_e_Handshake_St_Init_2_c0f0ff6b_F(t1_V0_CN13, Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2, l_V2, aM_V2, r_V2) + N117 := internBIO_e_Handshake_St_Init_2_c0f0ff6b_F(t1_V0_CN13, Q2sidI_V2, Q2a_V2, Q2b_V2, Q2prologue_V2, Q2info_V2, Q2kI_V2, Q2pkR_V2, Q2ekI_V2, Q2psk_V2, Q2c3_V2, Q2h4_V2, Q2sidR_V2, Q2epkR_V2, Q2mac1R_V2, Q2mac2R_V2, l_V2, aM_V2, r_V2) + + // t1_V0_CN13 = N117 + t1_V0_CN13 := N117 + + // s1_V0_CN14 = U_3e61b158_F(l_V2, r_V2, s1_V0_CN14) + s1_V0_CN14 := U_3e61b158_F(l_V2, r_V2, s1_V0_CN14) + } + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN10 + ok_V0 := ok_V0_CN10 + + // sidRT_V0 = sidRT_V0_CN11 + sidRT_V0 := sidRT_V0_CN11 + + // c7T_V0 = c7T_V0_CN12 + c7T_V0 := c7T_V0_CN12 + + // t1_V0 = t1_V0_CN13 + t1_V0 := t1_V0_CN13 + + // s1_V0 = s1_V0_CN14 + s1_V0 := s1_V0_CN14 +} + +method consumeResponse_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) returns (ok_V0: Bool) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) && acc(HandshakeMem_1605c048_F(hs_V0), write) && acc(ResponseMem_c7a67a88_F(response_V0), write) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) && acc(HandshakeMem_1605c048_F(hs_V0), write) + ensures getEkI_1605c048_F(hs_V0) == old(getEkI_1605c048_F(hs_V0)) + ensures ok_V0 ==> old(ResponseAbs_c7a67a88_F(response_V0)) == Bytes_M2_35781e6d_F(getSidI_1605c048_F(initiator_V0), getSidR_1605c048_F(hs_V0), getKI_1605c048_F(initiator_V0), getPsk_1605c048_F(initiator_V0), old(getEkI_1605c048_F(hs_V0)), old(getNKey_1605c048_F(hs_V0)), old(getNHash_1605c048_F(hs_V0)), old(ResponseEpkR_c7a67a88_F(response_V0)), old(ResponseMac1_c7a67a88_F(response_V0)), old(ResponseMac2_c7a67a88_F(response_V0))) + ensures ok_V0 ==> getNKey_1605c048_F(hs_V0) == Bytes_c7_35781e6d_F(getKI_1605c048_F(initiator_V0), getPsk_1605c048_F(initiator_V0), old(getEkI_1605c048_F(hs_V0)), old(getNKey_1605c048_F(hs_V0)), old(ResponseEpkR_c7a67a88_F(response_V0))) +{ + inhale ok_V0 == false + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, response_V0_CN2: *Response_c7a67a88_T°, ok_V0_CN3: bool° + var ok_V0_CN3: Bool + var response_V0_CN2: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init response_V0_CN2 + inhale response_V0_CN2 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_EmptyA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init ok_V0_CN3 + inhale ok_V0_CN3 == false + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // response_V0_CN2 = response_V0 + response_V0_CN2 := response_V0 + + // decl args_V1: *HandshakeArguments_c7a67a88_T°, kI_V1: Bytes_b3aa12e7_T°, psk_V1: Bytes_b3aa12e7_T°, ekI_V1: Bytes_b3aa12e7_T°, c3_V1: Bytes_b3aa12e7_T°, h4_V1: Bytes_b3aa12e7_T°, epkR_V1: Bytes_b3aa12e7_T°, N31: ByteString_c7a67a88_T°, chainHash_V1: ByteString_c7a67a88_T°, N32: ByteString_c7a67a88_T°, chainKey_V1: ByteString_c7a67a88_T°, N43: ByteString_c7a67a88_T°, tau_V1: ByteString_c7a67a88_T°, N44: ByteString_c7a67a88_T°, key_V1: ByteString_c7a67a88_T°, N53: ByteString_c7a67a88_T°, N54: ByteString_c7a67a88_T°, N55: ByteString_c7a67a88_T°, N56: ByteString_c7a67a88_T°, N57: bool° + var N57: Bool + var N56: Slice[Ref] + var N55: Slice[Ref] + var N54: Slice[Ref] + var N53: Slice[Ref] + var key_V1: Slice[Ref] + var N44: Slice[Ref] + var tau_V1: Slice[Ref] + var N43: Slice[Ref] + var chainKey_V1: Slice[Ref] + var N32: Slice[Ref] + var chainHash_V1: Slice[Ref] + var N31: Slice[Ref] + var epkR_V1: D$8d64a7ad_b3aa12e7_ + var h4_V1: D$8d64a7ad_b3aa12e7_ + var c3_V1: D$8d64a7ad_b3aa12e7_ + var ekI_V1: D$8d64a7ad_b3aa12e7_ + var psk_V1: D$8d64a7ad_b3aa12e7_ + var kI_V1: D$8d64a7ad_b3aa12e7_ + var args_V1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // init args_V1 + inhale args_V1 == shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // args_V1 = &*initiator_V0_CN0.HandshakeInfoA + args_V1 := (ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref]) + + // unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // unfold acc(HandshakeMem_1605c048_F(hs_V0_CN1)) + unfold acc(HandshakeMem_1605c048_F(hs_V0_CN1), write) + + // unfold acc(ResponseMem_c7a67a88_F(response_V0_CN2)) + unfold acc(ResponseMem_c7a67a88_F(response_V0_CN2), write) + + // init kI_V1 + inhale kI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // kI_V1 = Abs_c7a67a88_F(*args_V1.PrivateKeyA) + kI_V1 := Abs_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref) + + // init psk_V1 + inhale psk_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // psk_V1 = Abs_c7a67a88_F(*args_V1.PresharedKeyA) + psk_V1 := Abs_c7a67a88_F((ShStructget0of5(args_V1): Ref).val$_Slice_Ref) + + // init ekI_V1 + inhale ekI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // ekI_V1 = Abs_c7a67a88_F(*hs_V0_CN1.LocalEphemeralA) + ekI_V1 := Abs_c7a67a88_F((ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init c3_V1 + inhale c3_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // c3_V1 = Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) + c3_V1 := Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init h4_V1 + inhale h4_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // h4_V1 = Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) + h4_V1 := Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init epkR_V1 + inhale epkR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // epkR_V1 = Abs_c7a67a88_F(*response_V0_CN2.EphemeralA) + epkR_V1 := Abs_c7a67a88_F((ShStructget3of7(response_V0_CN2): Ref).val$_Slice_Ref) + + // ok_V0_CN3 = *response_V0_CN2.TypeA == 2 + ok_V0_CN3 := (ShStructget0of7(response_V0_CN2): Ref).val$_Int == 2 + + // if(!ok_V0_CN3) {...} else {...} + if (!ok_V0_CN3) { + + // decl + + // fold acc(HandshakeMem_1605c048_F(hs_V0_CN1)) + fold acc(HandshakeMem_1605c048_F(hs_V0_CN1), write) + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // ok_V0_CN3 = *response_V0_CN2.ReceiverA == *args_V1.LocalIndexA + ok_V0_CN3 := (ShStructget2of7(response_V0_CN2): Ref).val$_Int == (ShStructget2of5(args_V1): Ref).val$_Int + + // if(!ok_V0_CN3) {...} else {...} + if (!ok_V0_CN3) { + + // decl + + // fold acc(HandshakeMem_1605c048_F(hs_V0_CN1)) + fold acc(HandshakeMem_1605c048_F(hs_V0_CN1), write) + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // N31 = NewByteString_c7a67a88_F(32) + N31 := NewByteString_c7a67a88_F(32) + + // init chainHash_V1 + inhale chainHash_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // chainHash_V1 = N31 + chainHash_V1 := N31 + + // N32 = NewByteString_c7a67a88_F(32) + N32 := NewByteString_c7a67a88_F(32) + + // init chainKey_V1 + inhale chainKey_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // chainKey_V1 = N32 + chainKey_V1 := N32 + + // ComputeHash_c7a67a88_F(chainHash_V1, *hs_V0_CN1.ChainHashA, *response_V0_CN2.EphemeralA) + ComputeHash_c7a67a88_F(chainHash_V1, (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget3of7(response_V0_CN2): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h5_35781e6d_F(h4_V1, epkR_V1) + assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h5_35781e6d_F(h4_V1, epkR_V1) + + // ComputeKDF1_c7a67a88_F(chainKey_V1, *hs_V0_CN1.ChainKeyA, *response_V0_CN2.EphemeralA) + ComputeKDF1_c7a67a88_F(chainKey_V1, (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget3of7(response_V0_CN2): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c4_35781e6d_F(c3_V1, epkR_V1) + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c4_35781e6d_F(c3_V1, epkR_V1) + + // decl N37: ByteString_c7a67a88_T°, ss_V2: ByteString_c7a67a88_T° + var ss_V2: Slice[Ref] + var N37: Slice[Ref] + + // N37 = ComputeSharedSecret_c7a67a88_F(*hs_V0_CN1.LocalEphemeralA, *response_V0_CN2.EphemeralA) + N37 := ComputeSharedSecret_c7a67a88_F((ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget3of7(response_V0_CN2): Ref).val$_Slice_Ref) + + // init ss_V2 + inhale ss_V2 == sliceDefault_Intbyte$$$_S_$$$() + + // ss_V2 = N37 + ss_V2 := N37 + + // ComputeKDF1Inplace_c7a67a88_F(chainKey_V1, ss_V2) + ComputeKDF1Inplace_c7a67a88_F(chainKey_V1, ss_V2) + + // SetZero_c7a67a88_F(ss_V2) + SetZero_c7a67a88_F(ss_V2) + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c5_35781e6d_F(ekI_V1, c3_V1, epkR_V1) + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c5_35781e6d_F(ekI_V1, c3_V1, epkR_V1) + + // decl N40: ByteString_c7a67a88_T°, ss_V3: ByteString_c7a67a88_T° + var ss_V3: Slice[Ref] + var N40: Slice[Ref] + + // N40 = ComputeSharedSecret_c7a67a88_F(*args_V1.PrivateKeyA, *response_V0_CN2.EphemeralA) + N40 := ComputeSharedSecret_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref, (ShStructget3of7(response_V0_CN2): Ref).val$_Slice_Ref) + + // init ss_V3 + inhale ss_V3 == sliceDefault_Intbyte$$$_S_$$$() + + // ss_V3 = N40 + ss_V3 := N40 + + // ComputeKDF1Inplace_c7a67a88_F(chainKey_V1, ss_V3) + ComputeKDF1Inplace_c7a67a88_F(chainKey_V1, ss_V3) + + // SetZero_c7a67a88_F(ss_V3) + SetZero_c7a67a88_F(ss_V3) + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c6_35781e6d_F(kI_V1, ekI_V1, c3_V1, epkR_V1) + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c6_35781e6d_F(kI_V1, ekI_V1, c3_V1, epkR_V1) + + // N43 = NewByteString_c7a67a88_F(32) + N43 := NewByteString_c7a67a88_F(32) + + // init tau_V1 + inhale tau_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // tau_V1 = N43 + tau_V1 := N43 + + // N44 = NewByteString_c7a67a88_F(32) + N44 := NewByteString_c7a67a88_F(32) + + // init key_V1 + inhale key_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // key_V1 = N44 + key_V1 := N44 + + // ComputeKDF3Inplace_c7a67a88_F(tau_V1, key_V1, chainKey_V1, *args_V1.PresharedKeyA) + ComputeKDF3Inplace_c7a67a88_F(tau_V1, key_V1, chainKey_V1, (ShStructget0of5(args_V1): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c7_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, epkR_V1) + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c7_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, epkR_V1) + + // assert Abs_c7a67a88_F(tau_V1) == Bytes_pi_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, epkR_V1) + assert Abs_c7a67a88_F(tau_V1) == Bytes_pi_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, epkR_V1) + + // assert Abs_c7a67a88_F(key_V1) == Bytes_k3_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, epkR_V1) + assert Abs_c7a67a88_F(key_V1) == Bytes_k3_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, epkR_V1) + + // ComputeHashInplace_c7a67a88_F(chainHash_V1, tau_V1) + ComputeHashInplace_c7a67a88_F(chainHash_V1, tau_V1) + + // assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h6_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, h4_V1, epkR_V1) + assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h6_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, h4_V1, epkR_V1) + + // N55 = ZeroNonce_c7a67a88_F() + N55 := ZeroNonce_c7a67a88_F() + + // N56, N57 = AeadDec_c7a67a88_F(key_V1, N55, *response_V0_CN2.EmptyA, chainHash_V1) + N56, N57 := AeadDec_c7a67a88_F(key_V1, N55, (ShStructget4of7(response_V0_CN2): Ref).val$_Slice_Ref, chainHash_V1) + + // N54 = N56 + N54 := N56 + + // ok_V0_CN3 = N57 + ok_V0_CN3 := N57 + + // if(!ok_V0_CN3) {...} else {...} + if (!ok_V0_CN3) { + + // decl + + // fold acc(HandshakeMem_1605c048_F(hs_V0_CN1)) + fold acc(HandshakeMem_1605c048_F(hs_V0_CN1), write) + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // assert Abs_c7a67a88_F(*response_V0_CN2.EmptyA) == Bytes_c_empty_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, h4_V1, epkR_V1) + assert Abs_c7a67a88_F((ShStructget4of7(response_V0_CN2): Ref).val$_Slice_Ref) == Bytes_c_empty_35781e6d_F(kI_V1, psk_V1, ekI_V1, c3_V1, h4_V1, epkR_V1) + + // ComputeHashInplace_c7a67a88_F(chainHash_V1, *response_V0_CN2.EmptyA) + ComputeHashInplace_c7a67a88_F(chainHash_V1, (ShStructget4of7(response_V0_CN2): Ref).val$_Slice_Ref) + + // *hs_V0_CN1.ChainHashA = chainHash_V1 + (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref := chainHash_V1 + + // *hs_V0_CN1.ChainKeyA = chainKey_V1 + (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref := chainKey_V1 + + // *hs_V0_CN1.RemoteIndexA = *response_V0_CN2.SenderA + (ShStructget3of5(hs_V0_CN1): Ref).val$_Int := (ShStructget1of7(response_V0_CN2): Ref).val$_Int + + // fold acc(HandshakeMem_1605c048_F(hs_V0_CN1)) + fold acc(HandshakeMem_1605c048_F(hs_V0_CN1), write) + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN3 + ok_V0 := ok_V0_CN3 +} + +method beginSymmetricSession_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], c7T_V0: D$9084e2f5_1186dc0d_) returns (conn_V0: ShStruct4[Ref, Ref, Ref, Ref]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 4) && acc(HandshakeMem_1605c048_F(hs_V0), write) + requires getNKey_1605c048_F(hs_V0) == gamma_b3aa12e7_F(c7T_V0) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 4) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) + ensures ConnectionKIR_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kdf1__d2674021_F(c7T_V0)) + ensures ConnectionKRI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kdf2__d2674021_F(c7T_V0)) + ensures ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 + ensures ConnectionSidI_c7a67a88_F(conn_V0) == old(getSidR_1605c048_F(hs_V0)) +{ + inhale conn_V0 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, c7T_V0_CN2: Term_1186dc0d_T°, conn_V0_CN3: *Connection_c7a67a88_T° + var conn_V0_CN3: ShStruct4[Ref, Ref, Ref, Ref] + var c7T_V0_CN2: D$9084e2f5_1186dc0d_ + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init c7T_V0_CN2 + inhale c7T_V0_CN2 == dfltD$9084e2f5_1186dc0d_() + + // init conn_V0_CN3 + inhale conn_V0_CN3 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // c7T_V0_CN2 = c7T_V0 + c7T_V0_CN2 := c7T_V0 + + // decl N15: ByteString_c7a67a88_T°, sendKey_V1: ByteString_c7a67a88_T°, N16: ByteString_c7a67a88_T°, recvKey_V1: ByteString_c7a67a88_T°, N17: *Connection_c7a67a88_T° + var N17: ShStruct4[Ref, Ref, Ref, Ref] + var recvKey_V1: Slice[Ref] + var N16: Slice[Ref] + var sendKey_V1: Slice[Ref] + var N15: Slice[Ref] + + // N15 = NewByteString_c7a67a88_F(32) + N15 := NewByteString_c7a67a88_F(32) + + // init sendKey_V1 + inhale sendKey_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // sendKey_V1 = N15 + sendKey_V1 := N15 + + // N16 = NewByteString_c7a67a88_F(32) + N16 := NewByteString_c7a67a88_F(32) + + // init recvKey_V1 + inhale recvKey_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // recvKey_V1 = N16 + recvKey_V1 := N16 + + // unfold acc(HandshakeMem_1605c048_F(hs_V0_CN1)) + unfold acc(HandshakeMem_1605c048_F(hs_V0_CN1), write) + + // ComputeKDF2_c7a67a88_F(sendKey_V1, recvKey_V1, *hs_V0_CN1.ChainKeyA, (nil:ByteString_c7a67a88_T)) + ComputeKDF2_c7a67a88_F(sendKey_V1, recvKey_V1, (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, sliceDefault_Intbyte$$$_S_$$$()) + + // *hs_V0_CN1.ChainKeyA = (nil:ByteString_c7a67a88_T) + (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref := sliceDefault_Intbyte$$$_S_$$$() + + // *hs_V0_CN1.ChainHashA = (nil:ByteString_c7a67a88_T) + (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref := sliceDefault_Intbyte$$$_S_$$$() + + // *hs_V0_CN1.LocalEphemeralA = (nil:ByteString_c7a67a88_T) + (ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref := sliceDefault_Intbyte$$$_S_$$$() + + // N17 = new(Connection_c7a67a88_T{0, sendKey_V1, recvKey_V1, *hs_V0_CN1.RemoteIndexA}) + var fn$$0: ShStruct4[Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget1of4(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of4(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of4(fn$$0): Ref).val$_Int, write) && (true && (ShStructget0of4(fn$$0): Ref).val$_Int == (get0of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Int) && (ShStructget1of4(fn$$0): Ref).val$_Slice_Ref == (get1of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Slice[Ref]) && (ShStructget2of4(fn$$0): Ref).val$_Slice_Ref == (get2of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Slice[Ref]) && (ShStructget3of4(fn$$0): Ref).val$_Int == (get3of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Int)) + N17 := fn$$0 + + // conn_V0_CN3 = N17 + conn_V0_CN3 := N17 + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN3)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN3), write) + + // return + goto returnLabel + label returnLabel + + // conn_V0 = conn_V0_CN3 + conn_V0 := conn_V0_CN3 +} + +method forwardPackets_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], conn_V0: ShStruct4[Ref, Ref, Ref, Ref], sidRT_V0: D$9084e2f5_1186dc0d_, kirT_V0: D$9084e2f5_1186dc0d_, kriT_V0: D$9084e2f5_1186dc0d_, t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), write) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, getRid_1605c048_PMInitiator(initiator_V0), s_V0), write) + requires ConnectionKIR_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kirT_V0) + requires ConnectionKRI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kriT_V0) + requires ConnectionSidI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(sidRT_V0) + requires ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 + requires 0 < ((St_Init_2_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s_V0)) +{ + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, conn_V0_CN1: *Connection_c7a67a88_T°, sidRT_V0_CN2: Term_1186dc0d_T°, kirT_V0_CN3: Term_1186dc0d_T°, kriT_V0_CN4: Term_1186dc0d_T°, t_V0_CN5: Place_c3672ae3_T°, s_V0_CN6: mset[Fact_3e61b158_T]° + var s_V0_CN6: Multiset[D$226445f2_3e61b158_] + var t_V0_CN5: D$fe170ee1_c3672ae3_ + var kriT_V0_CN4: D$9084e2f5_1186dc0d_ + var kirT_V0_CN3: D$9084e2f5_1186dc0d_ + var sidRT_V0_CN2: D$9084e2f5_1186dc0d_ + var conn_V0_CN1: ShStruct4[Ref, Ref, Ref, Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init conn_V0_CN1 + inhale conn_V0_CN1 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init sidRT_V0_CN2 + inhale sidRT_V0_CN2 == dfltD$9084e2f5_1186dc0d_() + + // init kirT_V0_CN3 + inhale kirT_V0_CN3 == dfltD$9084e2f5_1186dc0d_() + + // init kriT_V0_CN4 + inhale kriT_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init t_V0_CN5 + inhale t_V0_CN5 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN6 + inhale s_V0_CN6 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // conn_V0_CN1 = conn_V0 + conn_V0_CN1 := conn_V0 + + // sidRT_V0_CN2 = sidRT_V0 + sidRT_V0_CN2 := sidRT_V0 + + // kirT_V0_CN3 = kirT_V0 + kirT_V0_CN3 := kirT_V0 + + // kriT_V0_CN4 = kriT_V0 + kriT_V0_CN4 := kriT_V0 + + // t_V0_CN5 = t_V0 + t_V0_CN5 := t_V0 + + // s_V0_CN6 = s_V0 + s_V0_CN6 := s_V0 + + // decl t1_V1: Place_c3672ae3_T°, s1_V1: mset[Fact_3e61b158_T]°, isFirstMessage_V1: bool° + var isFirstMessage_V1: Bool + var s1_V1: Multiset[D$226445f2_3e61b158_] + var t1_V1: D$fe170ee1_c3672ae3_ + + // init t1_V1 + inhale t1_V1 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V1 + inhale s1_V1 == Multiset[D$226445f2_3e61b158_]() + + // t1_V1 = t_V0_CN5 + t1_V1 := t_V0_CN5 + + // s1_V1 = s_V0_CN6 + s1_V1 := s_V0_CN6 + + // init isFirstMessage_V1 + inhale isFirstMessage_V1 == false + + // isFirstMessage_V1 = true + isFirstMessage_V1 := true + + // decl L$12$1$Break + + // while(true) +// invariant acc(InitiatorMem_1605c048_F(initiator_V0_CN0)) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1)) +// invariant ConnectionKIR_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kirT_V0_CN3) +// invariant ConnectionKRI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kriT_V0_CN4) +// invariant ConnectionSidI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(sidRT_V0_CN2) +// invariant isFirstMessage_V1 ==> ConnectionNonceVal_c7a67a88_F(conn_V0_CN1) == 0 +// invariant !isFirstMessage_V1 ==> ConnectionNonceVal_c7a67a88_F(conn_V0_CN1) > 0 +// invariant acc(token_c3672ae3_F(t1_V1)) && acc(P_Init_c0f0ff6b_F(t1_V1, initiator_V0_CN0.getRid(), s1_V1)) +// invariant isFirstMessage_V1 ==> 0 < St_Init_2_3e61b158_F(initiator_V0_CN0.getRid(), getFirst_d2674021_F(initiator_V0_CN0.getPP()), getSecond_d2674021_F(initiator_V0_CN0.getPP()), getThird_d2674021_F(initiator_V0_CN0.getPP()), getForth_d2674021_F(initiator_V0_CN0.getPP()), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1 +// invariant !isFirstMessage_V1 ==> 0 < St_Init_3_3e61b158_F(initiator_V0_CN0.getRid(), getFirst_d2674021_F(initiator_V0_CN0.getPP()), getSecond_d2674021_F(initiator_V0_CN0.getPP()), getThird_d2674021_F(initiator_V0_CN0.getPP()), getForth_d2674021_F(initiator_V0_CN0.getPP()), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1 + + + while (true) + invariant acc(InitiatorMem_1605c048_F(initiator_V0_CN0), write) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), write) + invariant ConnectionKIR_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kirT_V0_CN3) + invariant ConnectionKRI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kriT_V0_CN4) + invariant ConnectionSidI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(sidRT_V0_CN2) + invariant isFirstMessage_V1 ==> ConnectionNonceVal_c7a67a88_F(conn_V0_CN1) == 0 + invariant !isFirstMessage_V1 ==> ConnectionNonceVal_c7a67a88_F(conn_V0_CN1) > 0 + invariant acc(token_c3672ae3_F(t1_V1), write) && acc(P_Init_c0f0ff6b_F(t1_V1, getRid_1605c048_PMInitiator(initiator_V0_CN0), s1_V1), write) + invariant isFirstMessage_V1 ==> 0 < ((St_Init_2_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0_CN0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1)) + invariant !isFirstMessage_V1 ==> 0 < ((St_Init_3_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0_CN0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1)) + { + + // decl L$12$1$Continue + + // decl rid_V2: Term_1186dc0d_T°, request_V2: ByteString_c7a67a88_T°, ok_V2: bool°, term_V2: Term_1186dc0d_T°, N55: ByteString_c7a67a88_T°, N56: bool°, N57: Term_1186dc0d_T°, N58: Place_c3672ae3_T° + var N58: D$fe170ee1_c3672ae3_ + var N57: D$9084e2f5_1186dc0d_ + var N56: Bool + var N55: Slice[Ref] + var term_V2: D$9084e2f5_1186dc0d_ + var ok_V2: Bool + var request_V2: Slice[Ref] + var rid_V2: D$9084e2f5_1186dc0d_ + + // init rid_V2 + inhale rid_V2 == dfltD$9084e2f5_1186dc0d_() + + // rid_V2 = initiator_V0_CN0.getRid() + rid_V2 := getRid_1605c048_PMInitiator(initiator_V0_CN0) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + unfold acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // unfold acc(phiRF_Init_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + unfold acc(phiRF_Init_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // assert acc(e_Message_c0f0ff6b_F(t1_V1, rid_V2)) + assert acc(e_Message_c0f0ff6b_F(t1_V1, rid_V2), write) + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // init request_V2 + inhale request_V2 == sliceDefault_Intbyte$$$_S_$$$() + + // request_V2 = dflt[ByteString_c7a67a88_T] + request_V2 := sliceDefault_Intbyte$$$_S_$$$() + + // init ok_V2 + inhale ok_V2 == false + + // ok_V2 = dflt[bool] + ok_V2 := false + + // init term_V2 + inhale term_V2 == dfltD$9084e2f5_1186dc0d_() + + // term_V2 = dflt[Term_1186dc0d_T] + term_V2 := dfltD$9084e2f5_1186dc0d_() + + // N55, N56, N57, N58 = &*initiator_V0_CN0.LibStateAGetPacket(t1_V1, rid_V2) + N55, N56, N57, N58 := GetPacket_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), t1_V1, rid_V2) + + // request_V2 = N55 + request_V2 := N55 + + // ok_V2 = N56 + ok_V2 := N56 + + // term_V2 = N57 + term_V2 := N57 + + // t1_V1 = N58 + t1_V1 := N58 + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // if(ok_V2) {...} else {...} + if (ok_V2) { + + // decl + + // s1_V1 = s1_V1 union mset[Fact_3e61b158_T] { Message_Init_3e61b158_F(rid_V2, term_V2) } + s1_V1 := (s1_V1 union Multiset(Message_Init_3e61b158_F(rid_V2, term_V2))) + } else { + + // decl + + // fold acc(phiRF_Init_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + fold acc(phiRF_Init_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // fold acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + fold acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + } + + // assert ok_V2 ==> acc(token_c3672ae3_F(t1_V1)) && acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + assert ok_V2 ==> acc(token_c3672ae3_F(t1_V1), write) && acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // assert !ok_V2 ==> acc(token_c3672ae3_F(t1_V1)) && acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + assert !ok_V2 ==> acc(token_c3672ae3_F(t1_V1), write) && acc(P_Init_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // assert isFirstMessage_V1 ==> 0 < St_Init_2_3e61b158_F(rid_V2, getFirst_d2674021_F(initiator_V0_CN0.getPP()), getSecond_d2674021_F(initiator_V0_CN0.getPP()), getThird_d2674021_F(initiator_V0_CN0.getPP()), getForth_d2674021_F(initiator_V0_CN0.getPP()), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1 + assert isFirstMessage_V1 ==> 0 < ((St_Init_2_3e61b158_F(rid_V2, getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1)) + + // assert !isFirstMessage_V1 ==> 0 < St_Init_3_3e61b158_F(rid_V2, getFirst_d2674021_F(initiator_V0_CN0.getPP()), getSecond_d2674021_F(initiator_V0_CN0.getPP()), getThird_d2674021_F(initiator_V0_CN0.getPP()), getForth_d2674021_F(initiator_V0_CN0.getPP()), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1 + assert !isFirstMessage_V1 ==> 0 < ((St_Init_3_3e61b158_F(rid_V2, getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1)) + + // if(ok_V2) {...} else {...} + if (ok_V2) { + + // decl isInState3_V3: bool°, N78: bool°, N79: bool°, N80: Place_c3672ae3_T°, N81: mset[Fact_3e61b158_T]° + var N81: Multiset[D$226445f2_3e61b158_] + var N80: D$fe170ee1_c3672ae3_ + var N79: Bool + var N78: Bool + var isInState3_V3: Bool + + // init isInState3_V3 + inhale isInState3_V3 == false + + // isInState3_V3 = dflt[bool] + isInState3_V3 := false + + // N78, N79, N80, N81 = initiator_V0_CN0sendMessage(request_V2, conn_V0_CN1, isFirstMessage_V1, sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4, term_V2, t1_V1, s1_V1) + N78, N79, N80, N81 := sendMessage_1605c048_PMInitiator(initiator_V0_CN0, request_V2, conn_V0_CN1, isFirstMessage_V1, sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4, term_V2, t1_V1, s1_V1) + + // ok_V2 = N78 + ok_V2 := N78 + + // isInState3_V3 = N79 + isInState3_V3 := N79 + + // t1_V1 = N80 + t1_V1 := N80 + + // s1_V1 = N81 + s1_V1 := N81 + + // isFirstMessage_V1 = !isInState3_V3 + isFirstMessage_V1 := !isInState3_V3 + + // if(ok_V2) {...} else {...} + if (ok_V2) { + + // decl response_V4: ByteString_c7a67a88_T°, done_V4: bool° + var done_V4: Bool + var response_V4: Slice[Ref] + + // init response_V4 + inhale response_V4 == sliceDefault_Intbyte$$$_S_$$$() + + // response_V4 = dflt[ByteString_c7a67a88_T] + response_V4 := sliceDefault_Intbyte$$$_S_$$$() + + // init done_V4 + inhale done_V4 == false + + // done_V4 = false + done_V4 := false + + // decl L$54$4$Break + + // while(!done_V4) +// invariant acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/4) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1/4) +// invariant done_V4 ==> acc(Mem_c7a67a88_F(response_V4)) +// invariant acc(token_c3672ae3_F(t1_V1)) && acc(P_Init_c0f0ff6b_F(t1_V1, initiator_V0_CN0.getRid(), s1_V1)) +// invariant ConnectionKIR_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kirT_V0_CN3) +// invariant ConnectionKRI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kriT_V0_CN4) +// invariant ConnectionSidI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(sidRT_V0_CN2) +// invariant 0 < St_Init_3_3e61b158_F(initiator_V0_CN0.getRid(), getFirst_d2674021_F(initiator_V0_CN0.getPP()), getSecond_d2674021_F(initiator_V0_CN0.getPP()), getThird_d2674021_F(initiator_V0_CN0.getPP()), getForth_d2674021_F(initiator_V0_CN0.getPP()), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1 + + + while (!done_V4) + invariant acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 4) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1 / 4) + invariant done_V4 ==> acc(Mem_c7a67a88_F(response_V4), write) + invariant acc(token_c3672ae3_F(t1_V1), write) && acc(P_Init_c0f0ff6b_F(t1_V1, getRid_1605c048_PMInitiator(initiator_V0_CN0), s1_V1), write) + invariant ConnectionKIR_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kirT_V0_CN3) + invariant ConnectionKRI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(kriT_V0_CN4) + invariant ConnectionSidI_c7a67a88_F(conn_V0_CN1) == gamma_b3aa12e7_F(sidRT_V0_CN2) + invariant 0 < ((St_Init_3_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0_CN0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0_CN0)), sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4) in s1_V1)) + { + + // decl L$54$4$Continue + + // decl N99: ByteString_c7a67a88_T°, N100: bool°, N101: Place_c3672ae3_T°, N102: mset[Fact_3e61b158_T]° + var N102: Multiset[D$226445f2_3e61b158_] + var N101: D$fe170ee1_c3672ae3_ + var N100: Bool + var N99: Slice[Ref] + + // N99, N100, N101, N102 = initiator_V0_CN0receiveMessage(conn_V0_CN1, sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4, t1_V1, s1_V1) + N99, N100, N101, N102 := receiveMessage_1605c048_PMInitiator(initiator_V0_CN0, conn_V0_CN1, sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4, t1_V1, s1_V1) + + // response_V4 = N99 + response_V4 := N99 + + // done_V4 = N100 + done_V4 := N100 + + // t1_V1 = N101 + t1_V1 := N101 + + // s1_V1 = N102 + s1_V1 := N102 + + // L$54$4$Continue + label L$54$4$Continue + if (!done_V4) { + + } + + } + + // L$54$4$Break + label L$54$4$Break + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + + // &*initiator_V0_CN0.LibStateAConsumePacket(response_V4) + ConsumePacket_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), response_V4) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/2) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 2) + } + } + + // L$12$1$Continue + label L$12$1$Continue + if (true) { + + } + + } + + // L$12$1$Break + label L$12$1$Break + label returnLabel +} + +method sendMessage_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], msg_V0: Slice[Ref], conn_V0: ShStruct4[Ref, Ref, Ref, Ref], isFirstMessage_V0: Bool, sidRT_V0: D$9084e2f5_1186dc0d_, kirT_V0: D$9084e2f5_1186dc0d_, kriT_V0: D$9084e2f5_1186dc0d_, msgTerm_V0: D$9084e2f5_1186dc0d_, t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, isInState3_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) && acc(Mem_c7a67a88_F(msg_V0), write) + requires Abs_c7a67a88_F(msg_V0) == gamma_b3aa12e7_F(msgTerm_V0) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, getRid_1605c048_PMInitiator(initiator_V0), s_V0), write) + requires 0 < ((Message_Init_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), msgTerm_V0) in s_V0)) + requires ConnectionKIR_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kirT_V0) + requires ConnectionKRI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kriT_V0) + requires ConnectionSidI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(sidRT_V0) + requires isFirstMessage_V0 ==> ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 + requires !isFirstMessage_V0 ==> ConnectionNonceVal_c7a67a88_F(conn_V0) > 0 + requires isFirstMessage_V0 ==> 0 < ((St_Init_2_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s_V0)) + requires !isFirstMessage_V0 ==> 0 < ((St_Init_3_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s_V0)) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) + ensures acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, getRid_1605c048_PMInitiator(initiator_V0), s1_V0), write) + ensures ConnectionKIR_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kirT_V0) + ensures ConnectionKRI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kriT_V0) + ensures ConnectionSidI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(sidRT_V0) + ensures !isFirstMessage_V0 ==> isInState3_V0 + ensures ok_V0 ==> isInState3_V0 + ensures !isInState3_V0 ==> 0 < ((St_Init_2_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s1_V0)) + ensures isInState3_V0 ==> 0 < ((St_Init_3_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s1_V0)) + ensures !isInState3_V0 ==> ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 + ensures isInState3_V0 ==> ConnectionNonceVal_c7a67a88_F(conn_V0) > 0 +{ + inhale ok_V0 == false + inhale isInState3_V0 == false + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, msg_V0_CN1: ByteString_c7a67a88_T°, conn_V0_CN2: *Connection_c7a67a88_T°, isFirstMessage_V0_CN3: bool°, sidRT_V0_CN4: Term_1186dc0d_T°, kirT_V0_CN5: Term_1186dc0d_T°, kriT_V0_CN6: Term_1186dc0d_T°, msgTerm_V0_CN7: Term_1186dc0d_T°, t_V0_CN8: Place_c3672ae3_T°, s_V0_CN9: mset[Fact_3e61b158_T]°, ok_V0_CN10: bool°, isInState3_V0_CN11: bool°, t1_V0_CN12: Place_c3672ae3_T°, s1_V0_CN13: mset[Fact_3e61b158_T]° + var s1_V0_CN13: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN12: D$fe170ee1_c3672ae3_ + var isInState3_V0_CN11: Bool + var ok_V0_CN10: Bool + var s_V0_CN9: Multiset[D$226445f2_3e61b158_] + var t_V0_CN8: D$fe170ee1_c3672ae3_ + var msgTerm_V0_CN7: D$9084e2f5_1186dc0d_ + var kriT_V0_CN6: D$9084e2f5_1186dc0d_ + var kirT_V0_CN5: D$9084e2f5_1186dc0d_ + var sidRT_V0_CN4: D$9084e2f5_1186dc0d_ + var isFirstMessage_V0_CN3: Bool + var conn_V0_CN2: ShStruct4[Ref, Ref, Ref, Ref] + var msg_V0_CN1: Slice[Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init msg_V0_CN1 + inhale msg_V0_CN1 == sliceDefault_Intbyte$$$_S_$$$() + + // init conn_V0_CN2 + inhale conn_V0_CN2 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init isFirstMessage_V0_CN3 + inhale isFirstMessage_V0_CN3 == false + + // init sidRT_V0_CN4 + inhale sidRT_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init kirT_V0_CN5 + inhale kirT_V0_CN5 == dfltD$9084e2f5_1186dc0d_() + + // init kriT_V0_CN6 + inhale kriT_V0_CN6 == dfltD$9084e2f5_1186dc0d_() + + // init msgTerm_V0_CN7 + inhale msgTerm_V0_CN7 == dfltD$9084e2f5_1186dc0d_() + + // init t_V0_CN8 + inhale t_V0_CN8 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN9 + inhale s_V0_CN9 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN10 + inhale ok_V0_CN10 == false + + // init isInState3_V0_CN11 + inhale isInState3_V0_CN11 == false + + // init t1_V0_CN12 + inhale t1_V0_CN12 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN13 + inhale s1_V0_CN13 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // msg_V0_CN1 = msg_V0 + msg_V0_CN1 := msg_V0 + + // conn_V0_CN2 = conn_V0 + conn_V0_CN2 := conn_V0 + + // isFirstMessage_V0_CN3 = isFirstMessage_V0 + isFirstMessage_V0_CN3 := isFirstMessage_V0 + + // sidRT_V0_CN4 = sidRT_V0 + sidRT_V0_CN4 := sidRT_V0 + + // kirT_V0_CN5 = kirT_V0 + kirT_V0_CN5 := kirT_V0 + + // kriT_V0_CN6 = kriT_V0 + kriT_V0_CN6 := kriT_V0 + + // msgTerm_V0_CN7 = msgTerm_V0 + msgTerm_V0_CN7 := msgTerm_V0 + + // t_V0_CN8 = t_V0 + t_V0_CN8 := t_V0 + + // s_V0_CN9 = s_V0 + s_V0_CN9 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, pp_V1: Term_1186dc0d_T°, nonce_V1: uint64°, N86: ByteString_c7a67a88_T°, nonceBytes_V1: ByteString_c7a67a88_T°, N87: ByteString_c7a67a88_T°, plaintext_V1: ByteString_c7a67a88_T°, N88: ByteString_c7a67a88_T°, N89: bool°, encryptedMsg_V1: ByteString_c7a67a88_T°, N90: *Message_c7a67a88_T°, message_V1: *Message_c7a67a88_T°, sidR_V1: Bytes_b3aa12e7_T°, N92: ByteString_c7a67a88_T°, packet_V1: ByteString_c7a67a88_T°, packetT_V1: Term_1186dc0d_T°, N123: bool°, N124: Place_c3672ae3_T° + var N124: D$fe170ee1_c3672ae3_ + var N123: Bool + var packetT_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N92: Slice[Ref] + var sidR_V1: D$8d64a7ad_b3aa12e7_ + var message_V1: ShStruct4[Ref, Ref, Ref, Ref] + var N90: ShStruct4[Ref, Ref, Ref, Ref] + var encryptedMsg_V1: Slice[Ref] + var N89: Bool + var N88: Slice[Ref] + var plaintext_V1: Slice[Ref] + var N87: Slice[Ref] + var nonceBytes_V1: Slice[Ref] + var N86: Slice[Ref] + var nonce_V1: Int + var pp_V1: D$9084e2f5_1186dc0d_ + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = initiator_V0_CN0.getRid() + rid_V1 := getRid_1605c048_PMInitiator(initiator_V0_CN0) + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = initiator_V0_CN0.getPP() + pp_V1 := getPP_1605c048_PMInitiator(initiator_V0_CN0) + + // isInState3_V0_CN11 = !isFirstMessage_V0_CN3 + isInState3_V0_CN11 := !isFirstMessage_V0_CN3 + + // unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // if(*conn_V0_CN2.NonceA >= 18446744073709543423) {...} else {...} + if ((ShStructget0of4(conn_V0_CN2): Ref).val$_Int >= 18446744073709543423) { + + // decl N78: Place_c3672ae3_T°, N79: mset[Fact_3e61b158_T]° + var N79: Multiset[D$226445f2_3e61b158_] + var N78: D$fe170ee1_c3672ae3_ + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // N78 = t_V0_CN8 + N78 := t_V0_CN8 + + // N79 = s_V0_CN9 + N79 := s_V0_CN9 + + // t1_V0_CN12 = N78 + t1_V0_CN12 := N78 + + // s1_V0_CN13 = N79 + s1_V0_CN13 := N79 + + // ok_V0_CN10 = false + ok_V0_CN10 := false + + // return + goto returnLabel + } + + // init nonce_V1 + inhale nonce_V1 == 0 + + // nonce_V1 = dflt[uint64] + nonce_V1 := 0 + + // if(*conn_V0_CN2.NonceA == 0) {...} else {...} + if ((ShStructget0of4(conn_V0_CN2): Ref).val$_Int == 0) { + + // decl N84: Place_c3672ae3_T°, N85: mset[Fact_3e61b158_T]° + var N85: Multiset[D$226445f2_3e61b158_] + var N84: D$fe170ee1_c3672ae3_ + + // nonce_V1 = 0 + nonce_V1 := 0 + + // N84 = t_V0_CN8 + N84 := t_V0_CN8 + + // N85 = s_V0_CN9 + N85 := s_V0_CN9 + + // t1_V0_CN12 = N84 + t1_V0_CN12 := N84 + + // s1_V0_CN13 = N85 + s1_V0_CN13 := N85 + } else { + + // decl N80: uint64°, N81: Place_c3672ae3_T° + var N81: D$fe170ee1_c3672ae3_ + var N80: Int + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9), write) + + // unfold acc(phiRF_Init_14_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9)) + unfold acc(phiRF_Init_14_c0f0ff6b_F(t_V0_CN8, rid_V1, s_V0_CN9), write) + + // assert acc(e_Counter_c0f0ff6b_F(t_V0_CN8, rid_V1)) + assert acc(e_Counter_c0f0ff6b_F(t_V0_CN8, rid_V1), write) + + // N80, N81 = GetCounter_c7a67a88_F(*conn_V0_CN2.NonceA, t_V0_CN8, rid_V1) + N80, N81 := GetCounter_c7a67a88_F((ShStructget0of4(conn_V0_CN2): Ref).val$_Int, t_V0_CN8, rid_V1) + + // nonce_V1 = N80 + nonce_V1 := N80 + + // t1_V0_CN12 = N81 + t1_V0_CN12 := N81 + + // s1_V0_CN13 = s_V0_CN9 union mset[Fact_3e61b158_T] { Counter_Init_3e61b158_F(rid_V1, integer64_d2674021_F(nonce_V1)) } + s1_V0_CN13 := (s_V0_CN9 union Multiset(Counter_Init_3e61b158_F(rid_V1, integer64_d2674021_F(nonce_V1)))) + } + + // N86 = NonceToBytes_c7a67a88_F(nonce_V1) + N86 := NonceToBytes_c7a67a88_F(nonce_V1) + + // init nonceBytes_V1 + inhale nonceBytes_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // nonceBytes_V1 = N86 + nonceBytes_V1 := N86 + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // N87 = &*initiator_V0_CN0.LibStateAPadMsg(msg_V0_CN1) + N87 := PadMsg_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), msg_V0_CN1) + + // init plaintext_V1 + inhale plaintext_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // plaintext_V1 = N87 + plaintext_V1 := N87 + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // N88, N89 = AeadEnc_c7a67a88_F(*conn_V0_CN2.SendKeyA, nonceBytes_V1, plaintext_V1, (nil:ByteString_c7a67a88_T)) + N88, N89 := AeadEnc_c7a67a88_F((ShStructget1of4(conn_V0_CN2): Ref).val$_Slice_Ref, nonceBytes_V1, plaintext_V1, sliceDefault_Intbyte$$$_S_$$$()) + + // init encryptedMsg_V1 + inhale encryptedMsg_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // encryptedMsg_V1 = N88 + encryptedMsg_V1 := N88 + + // ok_V0_CN10 = N89 + ok_V0_CN10 := N89 + + // if(!ok_V0_CN10) {...} else {...} + if (!ok_V0_CN10) { + + // decl + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // return + goto returnLabel + } + + // N90 = new(Message_c7a67a88_T{4, *conn_V0_CN2.RemoteIndexA, nonce_V1, encryptedMsg_V1}) + var fn$$0: ShStruct4[Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget1of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget2of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget3of4(fn$$0): Ref).val$_Slice_Ref, write) && (true && (ShStructget0of4(fn$$0): Ref).val$_Int == (get0of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Int) && (ShStructget1of4(fn$$0): Ref).val$_Int == (get1of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Int) && (ShStructget2of4(fn$$0): Ref).val$_Int == (get2of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Int) && (ShStructget3of4(fn$$0): Ref).val$_Slice_Ref == (get3of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Slice[Ref])) + N90 := fn$$0 + + // init message_V1 + inhale message_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_NonceA_Intuint64$$$_S_$$$_PayloadA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // message_V1 = N90 + message_V1 := N90 + + // init sidR_V1 + inhale sidR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // sidR_V1 = integer32B_b3aa12e7_F(*conn_V0_CN2.RemoteIndexA) + sidR_V1 := integer32B_b3aa12e7_F((ShStructget3of4(conn_V0_CN2): Ref).val$_Int) + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // N92 = MarshalMessage_c7a67a88_F(message_V1) + N92 := MarshalMessage_c7a67a88_F(message_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // packet_V1 = N92 + packet_V1 := N92 + + // init packetT_V1 + inhale packetT_V1 == dfltD$9084e2f5_1186dc0d_() + + // packetT_V1 = tuple4_d2674021_F(integer32_d2674021_F(4), sidRT_V0_CN4, integer64_d2674021_F(nonce_V1), aead_d2674021_F(kirT_V0_CN5, integer64_d2674021_F(nonce_V1), msgTerm_V0_CN7, zeroString_d2674021_F(0))) + packetT_V1 := tuple4_d2674021_F(integer32_d2674021_F(4), sidRT_V0_CN4, integer64_d2674021_F(nonce_V1), aead_d2674021_F(kirT_V0_CN5, integer64_d2674021_F(nonce_V1), msgTerm_V0_CN7, zeroString_d2674021_F(0))) + + // assert Abs_c7a67a88_F(packet_V1) == gamma_b3aa12e7_F(packetT_V1) + assert Abs_c7a67a88_F(packet_V1) == gamma_b3aa12e7_F(packetT_V1) + + // if(isFirstMessage_V0_CN3) {...} else {...} + if (isFirstMessage_V0_CN3) { + + // decl Q3sidI_V3: Term_1186dc0d_T°, Q3a_V3: Term_1186dc0d_T°, Q3b_V3: Term_1186dc0d_T°, Q3prologue_V3: Term_1186dc0d_T°, Q3info_V3: Term_1186dc0d_T°, Q3sidR_V3: Term_1186dc0d_T°, Q3kIR_V3: Term_1186dc0d_T°, Q3kRI_V3: Term_1186dc0d_T°, Q3p_V3: Term_1186dc0d_T°, l_V3: mset[Fact_3e61b158_T]°, aM_V3: mset[Claim_2716b91c_T]°, r_V3: mset[Fact_3e61b158_T]°, N119: Place_c3672ae3_T° + var N119: D$fe170ee1_c3672ae3_ + var r_V3: Multiset[D$226445f2_3e61b158_] + var aM_V3: Multiset[D$46be403b_2716b91c_] + var l_V3: Multiset[D$226445f2_3e61b158_] + var Q3p_V3: D$9084e2f5_1186dc0d_ + var Q3kRI_V3: D$9084e2f5_1186dc0d_ + var Q3kIR_V3: D$9084e2f5_1186dc0d_ + var Q3sidR_V3: D$9084e2f5_1186dc0d_ + var Q3info_V3: D$9084e2f5_1186dc0d_ + var Q3prologue_V3: D$9084e2f5_1186dc0d_ + var Q3b_V3: D$9084e2f5_1186dc0d_ + var Q3a_V3: D$9084e2f5_1186dc0d_ + var Q3sidI_V3: D$9084e2f5_1186dc0d_ + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + + // unfold acc(phiR_Init_2_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + unfold acc(phiR_Init_2_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + + // init Q3sidI_V3 + inhale Q3sidI_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3sidI_V3 = rid_V1 + Q3sidI_V3 := rid_V1 + + // init Q3a_V3 + inhale Q3a_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3a_V3 = getFirst_d2674021_F(pp_V1) + Q3a_V3 := getFirst_d2674021_F(pp_V1) + + // init Q3b_V3 + inhale Q3b_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3b_V3 = getSecond_d2674021_F(pp_V1) + Q3b_V3 := getSecond_d2674021_F(pp_V1) + + // init Q3prologue_V3 + inhale Q3prologue_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3prologue_V3 = getThird_d2674021_F(pp_V1) + Q3prologue_V3 := getThird_d2674021_F(pp_V1) + + // init Q3info_V3 + inhale Q3info_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3info_V3 = getForth_d2674021_F(pp_V1) + Q3info_V3 := getForth_d2674021_F(pp_V1) + + // init Q3sidR_V3 + inhale Q3sidR_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3sidR_V3 = sidRT_V0_CN4 + Q3sidR_V3 := sidRT_V0_CN4 + + // init Q3kIR_V3 + inhale Q3kIR_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3kIR_V3 = kirT_V0_CN5 + Q3kIR_V3 := kirT_V0_CN5 + + // init Q3kRI_V3 + inhale Q3kRI_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3kRI_V3 = kriT_V0_CN6 + Q3kRI_V3 := kriT_V0_CN6 + + // init Q3p_V3 + inhale Q3p_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q3p_V3 = msgTerm_V0_CN7 + Q3p_V3 := msgTerm_V0_CN7 + + // init l_V3 + inhale l_V3 == Multiset[D$226445f2_3e61b158_]() + + // l_V3 = InternalInit3L_d2674021_F(Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3) + l_V3 := InternalInit3L_d2674021_F(Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3) + + // init aM_V3 + inhale aM_V3 == Multiset[D$46be403b_2716b91c_]() + + // aM_V3 = InternalInit3A_d2674021_F(Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3) + aM_V3 := InternalInit3A_d2674021_F(Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3) + + // init r_V3 + inhale r_V3 == Multiset[D$226445f2_3e61b158_]() + + // r_V3 = InternalInit3R_d2674021_F(Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3) + r_V3 := InternalInit3R_d2674021_F(Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3) + + // N119 = internBIO_e_Send_First_Init_c0f0ff6b_F(t1_V0_CN12, Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3, l_V3, aM_V3, r_V3) + N119 := internBIO_e_Send_First_Init_c0f0ff6b_F(t1_V0_CN12, Q3sidI_V3, Q3a_V3, Q3b_V3, Q3prologue_V3, Q3info_V3, Q3sidR_V3, Q3kIR_V3, Q3kRI_V3, Q3p_V3, l_V3, aM_V3, r_V3) + + // t1_V0_CN12 = N119 + t1_V0_CN12 := N119 + + // s1_V0_CN13 = U_3e61b158_F(l_V3, r_V3, s1_V0_CN13) + s1_V0_CN13 := U_3e61b158_F(l_V3, r_V3, s1_V0_CN13) + + // assert 0 < OutFact_Init_3e61b158_F(rid_V1, packetT_V1) in s1_V0_CN13 + assert 0 < ((OutFact_Init_3e61b158_F(rid_V1, packetT_V1) in s1_V0_CN13)) + } else { + + // decl Q4sidI_V2: Term_1186dc0d_T°, Q4a_V2: Term_1186dc0d_T°, Q4b_V2: Term_1186dc0d_T°, Q4prologue_V2: Term_1186dc0d_T°, Q4info_V2: Term_1186dc0d_T°, Q4sidR_V2: Term_1186dc0d_T°, Q4kIR_V2: Term_1186dc0d_T°, Q4kRI_V2: Term_1186dc0d_T°, Q4nIR_V2: Term_1186dc0d_T°, Q4p_V2: Term_1186dc0d_T°, l_V2: mset[Fact_3e61b158_T]°, aM_V2: mset[Claim_2716b91c_T]°, r_V2: mset[Fact_3e61b158_T]°, N109: Place_c3672ae3_T° + var N109: D$fe170ee1_c3672ae3_ + var r_V2: Multiset[D$226445f2_3e61b158_] + var aM_V2: Multiset[D$46be403b_2716b91c_] + var l_V2: Multiset[D$226445f2_3e61b158_] + var Q4p_V2: D$9084e2f5_1186dc0d_ + var Q4nIR_V2: D$9084e2f5_1186dc0d_ + var Q4kRI_V2: D$9084e2f5_1186dc0d_ + var Q4kIR_V2: D$9084e2f5_1186dc0d_ + var Q4sidR_V2: D$9084e2f5_1186dc0d_ + var Q4info_V2: D$9084e2f5_1186dc0d_ + var Q4prologue_V2: D$9084e2f5_1186dc0d_ + var Q4b_V2: D$9084e2f5_1186dc0d_ + var Q4a_V2: D$9084e2f5_1186dc0d_ + var Q4sidI_V2: D$9084e2f5_1186dc0d_ + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + + // unfold acc(phiR_Init_3_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + unfold acc(phiR_Init_3_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + + // init Q4sidI_V2 + inhale Q4sidI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4sidI_V2 = rid_V1 + Q4sidI_V2 := rid_V1 + + // init Q4a_V2 + inhale Q4a_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4a_V2 = getFirst_d2674021_F(pp_V1) + Q4a_V2 := getFirst_d2674021_F(pp_V1) + + // init Q4b_V2 + inhale Q4b_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4b_V2 = getSecond_d2674021_F(pp_V1) + Q4b_V2 := getSecond_d2674021_F(pp_V1) + + // init Q4prologue_V2 + inhale Q4prologue_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4prologue_V2 = getThird_d2674021_F(pp_V1) + Q4prologue_V2 := getThird_d2674021_F(pp_V1) + + // init Q4info_V2 + inhale Q4info_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4info_V2 = getForth_d2674021_F(pp_V1) + Q4info_V2 := getForth_d2674021_F(pp_V1) + + // init Q4sidR_V2 + inhale Q4sidR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4sidR_V2 = sidRT_V0_CN4 + Q4sidR_V2 := sidRT_V0_CN4 + + // init Q4kIR_V2 + inhale Q4kIR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4kIR_V2 = kirT_V0_CN5 + Q4kIR_V2 := kirT_V0_CN5 + + // init Q4kRI_V2 + inhale Q4kRI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4kRI_V2 = kriT_V0_CN6 + Q4kRI_V2 := kriT_V0_CN6 + + // init Q4nIR_V2 + inhale Q4nIR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4nIR_V2 = integer64_d2674021_F(nonce_V1) + Q4nIR_V2 := integer64_d2674021_F(nonce_V1) + + // init Q4p_V2 + inhale Q4p_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q4p_V2 = msgTerm_V0_CN7 + Q4p_V2 := msgTerm_V0_CN7 + + // init l_V2 + inhale l_V2 == Multiset[D$226445f2_3e61b158_]() + + // l_V2 = InternalInit4L_d2674021_F(Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2) + l_V2 := InternalInit4L_d2674021_F(Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2) + + // init aM_V2 + inhale aM_V2 == Multiset[D$46be403b_2716b91c_]() + + // aM_V2 = InternalInit4A_d2674021_F(Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2) + aM_V2 := InternalInit4A_d2674021_F(Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2) + + // init r_V2 + inhale r_V2 == Multiset[D$226445f2_3e61b158_]() + + // r_V2 = InternalInit4R_d2674021_F(Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2) + r_V2 := InternalInit4R_d2674021_F(Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2) + + // N109 = internBIO_e_Send_Init_Loop_c0f0ff6b_F(t1_V0_CN12, Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2, l_V2, aM_V2, r_V2) + N109 := internBIO_e_Send_Init_Loop_c0f0ff6b_F(t1_V0_CN12, Q4sidI_V2, Q4a_V2, Q4b_V2, Q4prologue_V2, Q4info_V2, Q4sidR_V2, Q4kIR_V2, Q4kRI_V2, Q4nIR_V2, Q4p_V2, l_V2, aM_V2, r_V2) + + // t1_V0_CN12 = N109 + t1_V0_CN12 := N109 + + // s1_V0_CN13 = U_3e61b158_F(l_V2, r_V2, s1_V0_CN13) + s1_V0_CN13 := U_3e61b158_F(l_V2, r_V2, s1_V0_CN13) + + // assert OutFact_Init_3e61b158_F(rid_V1, packetT_V1) # s1_V0_CN13 > 0 + assert ((OutFact_Init_3e61b158_F(rid_V1, packetT_V1) in s1_V0_CN13)) > 0 + } + + // isInState3_V0_CN11 = true + isInState3_V0_CN11 := true + + // unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // *conn_V0_CN2.NonceA = *conn_V0_CN2.NonceA + 1 + (ShStructget0of4(conn_V0_CN2): Ref).val$_Int := (ShStructget0of4(conn_V0_CN2): Ref).val$_Int + 1 + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + + // unfold acc(phiRG_Init_5_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + unfold acc(phiRG_Init_5_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + + // assert OutFact_Init_3e61b158_F(rid_V1, packetT_V1) # s1_V0_CN13 > 0 + assert ((OutFact_Init_3e61b158_F(rid_V1, packetT_V1) in s1_V0_CN13)) > 0 + + // assert acc(e_OutFact_c0f0ff6b_F(t1_V0_CN12, rid_V1, packetT_V1)) + assert acc(e_OutFact_c0f0ff6b_F(t1_V0_CN12, rid_V1, packetT_V1), write) + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // N123, N124 = &*initiator_V0_CN0.LibStateASend(packet_V1, t1_V0_CN12, rid_V1, packetT_V1) + N123, N124 := Send_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, t1_V0_CN12, rid_V1, packetT_V1) + + // ok_V0_CN10 = N123 + ok_V0_CN10 := N123 + + // t1_V0_CN12 = N124 + t1_V0_CN12 := N124 + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // if(ok_V0_CN10) {...} else {...} + if (ok_V0_CN10) { + + // decl + + // s1_V0_CN13 = s1_V0_CN13 setminus mset[Fact_3e61b158_T] { OutFact_Init_3e61b158_F(rid_V1, packetT_V1) } + s1_V0_CN13 := (s1_V0_CN13 setminus Multiset(OutFact_Init_3e61b158_F(rid_V1, packetT_V1))) + } else { + + // decl + + // fold acc(phiRG_Init_5_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + fold acc(phiRG_Init_5_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + + // fold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13)) + fold acc(P_Init_c0f0ff6b_F(t1_V0_CN12, rid_V1, s1_V0_CN13), write) + } + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN10 + ok_V0 := ok_V0_CN10 + + // isInState3_V0 = isInState3_V0_CN11 + isInState3_V0 := isInState3_V0_CN11 + + // t1_V0 = t1_V0_CN12 + t1_V0 := t1_V0_CN12 + + // s1_V0 = s1_V0_CN13 + s1_V0 := s1_V0_CN13 +} + +method receiveMessage_1605c048_PMInitiator(initiator_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], conn_V0: ShStruct4[Ref, Ref, Ref, Ref], sidRT_V0: D$9084e2f5_1186dc0d_, kirT_V0: D$9084e2f5_1186dc0d_, kriT_V0: D$9084e2f5_1186dc0d_, t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (msg_V0: Slice[Ref], ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), 1 / 8) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Init_c0f0ff6b_F(t_V0, getRid_1605c048_PMInitiator(initiator_V0), s_V0), write) + requires 0 < ((St_Init_3_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s_V0)) + requires ConnectionKIR_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kirT_V0) + requires ConnectionKRI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(kriT_V0) + requires ConnectionSidI_c7a67a88_F(conn_V0) == gamma_b3aa12e7_F(sidRT_V0) + ensures acc(InitiatorMem_1605c048_F(initiator_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), 1 / 8) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(msg_V0), write) + ensures acc(token_c3672ae3_F(t1_V0), write) && acc(P_Init_c0f0ff6b_F(t1_V0, getRid_1605c048_PMInitiator(initiator_V0), s1_V0), write) + ensures 0 < ((St_Init_3_3e61b158_F(getRid_1605c048_PMInitiator(initiator_V0), getFirst_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getSecond_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getThird_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), getForth_d2674021_F(getPP_1605c048_PMInitiator(initiator_V0)), sidRT_V0, kirT_V0, kriT_V0) in s1_V0)) +{ + inhale msg_V0 == sliceDefault_Intbyte$$$_S_$$$() + inhale ok_V0 == false + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl initiator_V0_CN0: *Initiator_1605c048_T°, conn_V0_CN1: *Connection_c7a67a88_T°, sidRT_V0_CN2: Term_1186dc0d_T°, kirT_V0_CN3: Term_1186dc0d_T°, kriT_V0_CN4: Term_1186dc0d_T°, t_V0_CN5: Place_c3672ae3_T°, s_V0_CN6: mset[Fact_3e61b158_T]°, msg_V0_CN7: ByteString_c7a67a88_T°, ok_V0_CN8: bool°, t1_V0_CN9: Place_c3672ae3_T°, s1_V0_CN10: mset[Fact_3e61b158_T]° + var s1_V0_CN10: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN9: D$fe170ee1_c3672ae3_ + var ok_V0_CN8: Bool + var msg_V0_CN7: Slice[Ref] + var s_V0_CN6: Multiset[D$226445f2_3e61b158_] + var t_V0_CN5: D$fe170ee1_c3672ae3_ + var kriT_V0_CN4: D$9084e2f5_1186dc0d_ + var kirT_V0_CN3: D$9084e2f5_1186dc0d_ + var sidRT_V0_CN2: D$9084e2f5_1186dc0d_ + var conn_V0_CN1: ShStruct4[Ref, Ref, Ref, Ref] + var initiator_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init initiator_V0_CN0 + inhale initiator_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init conn_V0_CN1 + inhale conn_V0_CN1 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init sidRT_V0_CN2 + inhale sidRT_V0_CN2 == dfltD$9084e2f5_1186dc0d_() + + // init kirT_V0_CN3 + inhale kirT_V0_CN3 == dfltD$9084e2f5_1186dc0d_() + + // init kriT_V0_CN4 + inhale kriT_V0_CN4 == dfltD$9084e2f5_1186dc0d_() + + // init t_V0_CN5 + inhale t_V0_CN5 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN6 + inhale s_V0_CN6 == Multiset[D$226445f2_3e61b158_]() + + // init msg_V0_CN7 + inhale msg_V0_CN7 == sliceDefault_Intbyte$$$_S_$$$() + + // init ok_V0_CN8 + inhale ok_V0_CN8 == false + + // init t1_V0_CN9 + inhale t1_V0_CN9 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN10 + inhale s1_V0_CN10 == Multiset[D$226445f2_3e61b158_]() + + // initiator_V0_CN0 = initiator_V0 + initiator_V0_CN0 := initiator_V0 + + // conn_V0_CN1 = conn_V0 + conn_V0_CN1 := conn_V0 + + // sidRT_V0_CN2 = sidRT_V0 + sidRT_V0_CN2 := sidRT_V0 + + // kirT_V0_CN3 = kirT_V0 + kirT_V0_CN3 := kirT_V0 + + // kriT_V0_CN4 = kriT_V0 + kriT_V0_CN4 := kriT_V0 + + // t_V0_CN5 = t_V0 + t_V0_CN5 := t_V0 + + // s_V0_CN6 = s_V0 + s_V0_CN6 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, N40: ByteString_c7a67a88_T°, N41: bool°, N42: Term_1186dc0d_T°, N43: Place_c3672ae3_T°, packet_V1: ByteString_c7a67a88_T°, term_V1: Term_1186dc0d_T°, recvB_V1: Bytes_b3aa12e7_T°, N46: *Message_c7a67a88_T°, N47: bool°, message_V1: *Message_c7a67a88_T°, N48: ByteString_c7a67a88_T°, nonceBytes_V1: ByteString_c7a67a88_T°, N49: ByteString_c7a67a88_T°, N50: bool°, plaintext_V1: ByteString_c7a67a88_T°, pp_V1: Term_1186dc0d_T°, sidI_V1: Bytes_b3aa12e7_T°, nonceB_V1: Bytes_b3aa12e7_T°, N68: Term_1186dc0d_T°, N69: Term_1186dc0d_T°, nRI_V1: Term_1186dc0d_T°, p_V1: Term_1186dc0d_T°, Q5sidI_V1: Term_1186dc0d_T°, Q5a_V1: Term_1186dc0d_T°, Q5b_V1: Term_1186dc0d_T°, Q5prologue_V1: Term_1186dc0d_T°, Q5info_V1: Term_1186dc0d_T°, Q5sidR_V1: Term_1186dc0d_T°, Q5kIR_V1: Term_1186dc0d_T°, Q5kRI_V1: Term_1186dc0d_T°, Q5x_V1: Term_1186dc0d_T°, Q5nIR_V1: Term_1186dc0d_T°, Q5p_V1: Term_1186dc0d_T°, l_V1: mset[Fact_3e61b158_T]°, aM_V1: mset[Claim_2716b91c_T]°, r_V1: mset[Fact_3e61b158_T]°, N82: Place_c3672ae3_T°, N84: ByteString_c7a67a88_T° + var N84: Slice[Ref] + var N82: D$fe170ee1_c3672ae3_ + var r_V1: Multiset[D$226445f2_3e61b158_] + var aM_V1: Multiset[D$46be403b_2716b91c_] + var l_V1: Multiset[D$226445f2_3e61b158_] + var Q5p_V1: D$9084e2f5_1186dc0d_ + var Q5nIR_V1: D$9084e2f5_1186dc0d_ + var Q5x_V1: D$9084e2f5_1186dc0d_ + var Q5kRI_V1: D$9084e2f5_1186dc0d_ + var Q5kIR_V1: D$9084e2f5_1186dc0d_ + var Q5sidR_V1: D$9084e2f5_1186dc0d_ + var Q5info_V1: D$9084e2f5_1186dc0d_ + var Q5prologue_V1: D$9084e2f5_1186dc0d_ + var Q5b_V1: D$9084e2f5_1186dc0d_ + var Q5a_V1: D$9084e2f5_1186dc0d_ + var Q5sidI_V1: D$9084e2f5_1186dc0d_ + var p_V1: D$9084e2f5_1186dc0d_ + var nRI_V1: D$9084e2f5_1186dc0d_ + var N69: D$9084e2f5_1186dc0d_ + var N68: D$9084e2f5_1186dc0d_ + var nonceB_V1: D$8d64a7ad_b3aa12e7_ + var sidI_V1: D$8d64a7ad_b3aa12e7_ + var pp_V1: D$9084e2f5_1186dc0d_ + var plaintext_V1: Slice[Ref] + var N50: Bool + var N49: Slice[Ref] + var nonceBytes_V1: Slice[Ref] + var N48: Slice[Ref] + var message_V1: ShStruct4[Ref, Ref, Ref, Ref] + var N47: Bool + var N46: ShStruct4[Ref, Ref, Ref, Ref] + var recvB_V1: D$8d64a7ad_b3aa12e7_ + var term_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N43: D$fe170ee1_c3672ae3_ + var N42: D$9084e2f5_1186dc0d_ + var N41: Bool + var N40: Slice[Ref] + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = initiator_V0_CN0.getRid() + rid_V1 := getRid_1605c048_PMInitiator(initiator_V0_CN0) + + // unfold acc(P_Init_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + unfold acc(P_Init_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // unfold acc(phiRF_Init_12_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + unfold acc(phiRF_Init_12_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // assert acc(e_InFact_c0f0ff6b_F(t_V0_CN5, rid_V1)) + assert acc(e_InFact_c0f0ff6b_F(t_V0_CN5, rid_V1), write) + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // N40, N41, N42, N43 = &*initiator_V0_CN0.LibStateAReceive(t_V0_CN5, rid_V1) + N40, N41, N42, N43 := Receive_c7a67a88_PMLibraryState((ShStructget0of4(initiator_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), t_V0_CN5, rid_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // init term_V1 + inhale term_V1 == dfltD$9084e2f5_1186dc0d_() + + // packet_V1 = N40 + packet_V1 := N40 + + // ok_V0_CN8 = N41 + ok_V0_CN8 := N41 + + // term_V1 = N42 + term_V1 := N42 + + // t1_V0_CN9 = N43 + t1_V0_CN9 := N43 + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // if(!ok_V0_CN8) {...} else {...} + if (!ok_V0_CN8) { + + // decl + + // fold acc(phiRF_Init_12_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + fold acc(phiRF_Init_12_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // fold acc(P_Init_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + fold acc(P_Init_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // s1_V0_CN10 = s_V0_CN6 + s1_V0_CN10 := s_V0_CN6 + + // return + goto returnLabel + } + + // init recvB_V1 + inhale recvB_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // recvB_V1 = Abs_c7a67a88_F(packet_V1) + recvB_V1 := Abs_c7a67a88_F(packet_V1) + + // s1_V0_CN10 = s_V0_CN6 union mset[Fact_3e61b158_T] { InFact_Init_3e61b158_F(rid_V1, term_V1) } + s1_V0_CN10 := (s_V0_CN6 union Multiset(InFact_Init_3e61b158_F(rid_V1, term_V1))) + + // N46, N47 = UnmarshalMessage_c7a67a88_F(packet_V1) + N46, N47 := UnmarshalMessage_c7a67a88_F(packet_V1) + + // init message_V1 + inhale message_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_NonceA_Intuint64$$$_S_$$$_PayloadA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // message_V1 = N46 + message_V1 := N46 + + // ok_V0_CN8 = N47 + ok_V0_CN8 := N47 + + // if(!ok_V0_CN8) {...} else {...} + if (!ok_V0_CN8) { + + // decl + + // return + goto returnLabel + } + + // ok_V0_CN8 = *message_V1.TypeA == 4 + ok_V0_CN8 := (ShStructget0of4(message_V1): Ref).val$_Int == 4 + + // if(!ok_V0_CN8) {...} else {...} + if (!ok_V0_CN8) { + + // decl + + // return + goto returnLabel + } + + // unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + unfold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // unfold acc(HandshakeArgsMem_c7a67a88_F(&*initiator_V0_CN0.HandshakeInfoA), 1/8) + unfold acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), 1 / 8) + + // ok_V0_CN8 = *initiator_V0_CN0.HandshakeInfoA.LocalIndexA == *message_V1.ReceiverA + ok_V0_CN8 := (ShStructget2of5((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int == (ShStructget1of4(message_V1): Ref).val$_Int + + // fold acc(HandshakeArgsMem_c7a67a88_F(&*initiator_V0_CN0.HandshakeInfoA), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(initiator_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), 1 / 8) + + // fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1/8) + fold acc(InitiatorMem_1605c048_F(initiator_V0_CN0), 1 / 8) + + // if(!ok_V0_CN8) {...} else {...} + if (!ok_V0_CN8) { + + // decl + + // return + goto returnLabel + } + + // N48 = NonceToBytes_c7a67a88_F(*message_V1.NonceA) + N48 := NonceToBytes_c7a67a88_F((ShStructget2of4(message_V1): Ref).val$_Int) + + // init nonceBytes_V1 + inhale nonceBytes_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // nonceBytes_V1 = N48 + nonceBytes_V1 := N48 + + // unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1/8) + unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1 / 8) + + // N49, N50 = AeadDec_c7a67a88_F(*conn_V0_CN1.RecvKeyA, nonceBytes_V1, *message_V1.PayloadA, (nil:ByteString_c7a67a88_T)) + N49, N50 := AeadDec_c7a67a88_F((ShStructget2of4(conn_V0_CN1): Ref).val$_Slice_Ref, nonceBytes_V1, (ShStructget3of4(message_V1): Ref).val$_Slice_Ref, sliceDefault_Intbyte$$$_S_$$$()) + + // init plaintext_V1 + inhale plaintext_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // plaintext_V1 = N49 + plaintext_V1 := N49 + + // ok_V0_CN8 = N50 + ok_V0_CN8 := N50 + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1/8) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1 / 8) + + // if(!ok_V0_CN8) {...} else {...} + if (!ok_V0_CN8) { + + // decl + + // return + goto returnLabel + } + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = initiator_V0_CN0.getPP() + pp_V1 := getPP_1605c048_PMInitiator(initiator_V0_CN0) + + // recvB_V1 = Abs_c7a67a88_F(packet_V1) + recvB_V1 := Abs_c7a67a88_F(packet_V1) + + // init sidI_V1 + inhale sidI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // sidI_V1 = integer32B_b3aa12e7_F(*message_V1.ReceiverA) + sidI_V1 := integer32B_b3aa12e7_F((ShStructget1of4(message_V1): Ref).val$_Int) + + // init nonceB_V1 + inhale nonceB_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // nonceB_V1 = integer64B_b3aa12e7_F(*message_V1.NonceA) + nonceB_V1 := integer64B_b3aa12e7_F((ShStructget2of4(message_V1): Ref).val$_Int) + + // assert recvB_V1 == gamma_b3aa12e7_F(tuple4_d2674021_F(oneTerm_b3aa12e7_F(integer32B_b3aa12e7_F(4)), rid_V1, oneTerm_b3aa12e7_F(nonceB_V1), aead_d2674021_F(kriT_V0_CN4, oneTerm_b3aa12e7_F(nonceB_V1), oneTerm_b3aa12e7_F(Abs_c7a67a88_F(plaintext_V1)), zeroString_d2674021_F(0)))) + assert recvB_V1 == gamma_b3aa12e7_F(tuple4_d2674021_F(oneTerm_b3aa12e7_F(integer32B_b3aa12e7_F(4)), rid_V1, oneTerm_b3aa12e7_F(nonceB_V1), aead_d2674021_F(kriT_V0_CN4, oneTerm_b3aa12e7_F(nonceB_V1), oneTerm_b3aa12e7_F(Abs_c7a67a88_F(plaintext_V1)), zeroString_d2674021_F(0)))) + + // N68, N69 = patternProperty4_8142c2d2_F(rid_V1, pp_V1, sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4, oneTerm_b3aa12e7_F(nonceB_V1), oneTerm_b3aa12e7_F(Abs_c7a67a88_F(plaintext_V1)), term_V1, t1_V0_CN9, s1_V0_CN10, true) + N68, N69 := patternProperty4_8142c2d2_F(rid_V1, pp_V1, sidRT_V0_CN2, kirT_V0_CN3, kriT_V0_CN4, oneTerm_b3aa12e7_F(nonceB_V1), oneTerm_b3aa12e7_F(Abs_c7a67a88_F(plaintext_V1)), term_V1, t1_V0_CN9, s1_V0_CN10, true) + + // init nRI_V1 + inhale nRI_V1 == dfltD$9084e2f5_1186dc0d_() + + // init p_V1 + inhale p_V1 == dfltD$9084e2f5_1186dc0d_() + + // nRI_V1 = N68 + nRI_V1 := N68 + + // p_V1 = N69 + p_V1 := N69 + + // assert term_V1 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V1, nRI_V1, aead_d2674021_F(kriT_V0_CN4, nRI_V1, p_V1, zeroString_d2674021_F(0))) + assert term_V1 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V1, nRI_V1, aead_d2674021_F(kriT_V0_CN4, nRI_V1, p_V1, zeroString_d2674021_F(0))) + + // unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN9, rid_V1, s1_V0_CN10)) + unfold acc(P_Init_c0f0ff6b_F(t1_V0_CN9, rid_V1, s1_V0_CN10), write) + + // unfold acc(phiR_Init_4_c0f0ff6b_F(t1_V0_CN9, rid_V1, s1_V0_CN10)) + unfold acc(phiR_Init_4_c0f0ff6b_F(t1_V0_CN9, rid_V1, s1_V0_CN10), write) + + // init Q5sidI_V1 + inhale Q5sidI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5sidI_V1 = rid_V1 + Q5sidI_V1 := rid_V1 + + // init Q5a_V1 + inhale Q5a_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5a_V1 = getFirst_d2674021_F(pp_V1) + Q5a_V1 := getFirst_d2674021_F(pp_V1) + + // init Q5b_V1 + inhale Q5b_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5b_V1 = getSecond_d2674021_F(pp_V1) + Q5b_V1 := getSecond_d2674021_F(pp_V1) + + // init Q5prologue_V1 + inhale Q5prologue_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5prologue_V1 = getThird_d2674021_F(pp_V1) + Q5prologue_V1 := getThird_d2674021_F(pp_V1) + + // init Q5info_V1 + inhale Q5info_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5info_V1 = getForth_d2674021_F(pp_V1) + Q5info_V1 := getForth_d2674021_F(pp_V1) + + // init Q5sidR_V1 + inhale Q5sidR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5sidR_V1 = sidRT_V0_CN2 + Q5sidR_V1 := sidRT_V0_CN2 + + // init Q5kIR_V1 + inhale Q5kIR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5kIR_V1 = kirT_V0_CN3 + Q5kIR_V1 := kirT_V0_CN3 + + // init Q5kRI_V1 + inhale Q5kRI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5kRI_V1 = kriT_V0_CN4 + Q5kRI_V1 := kriT_V0_CN4 + + // init Q5x_V1 + inhale Q5x_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5x_V1 = rid_V1 + Q5x_V1 := rid_V1 + + // init Q5nIR_V1 + inhale Q5nIR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5nIR_V1 = nRI_V1 + Q5nIR_V1 := nRI_V1 + + // init Q5p_V1 + inhale Q5p_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q5p_V1 = p_V1 + Q5p_V1 := p_V1 + + // init l_V1 + inhale l_V1 == Multiset[D$226445f2_3e61b158_]() + + // l_V1 = InternalInit5L_d2674021_F(Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1) + l_V1 := InternalInit5L_d2674021_F(Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1) + + // init aM_V1 + inhale aM_V1 == Multiset[D$46be403b_2716b91c_]() + + // aM_V1 = InternalInit5A_d2674021_F(Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1) + aM_V1 := InternalInit5A_d2674021_F(Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1) + + // init r_V1 + inhale r_V1 == Multiset[D$226445f2_3e61b158_]() + + // r_V1 = InternalInit5R_d2674021_F(Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1) + r_V1 := InternalInit5R_d2674021_F(Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1) + + // assert M_3e61b158_F(l_V1, s1_V0_CN10) + assert M_3e61b158_F(l_V1, s1_V0_CN10) + + // N82 = internBIO_e_Receive_Init_Loop_c0f0ff6b_F(t1_V0_CN9, Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1, l_V1, aM_V1, r_V1) + N82 := internBIO_e_Receive_Init_Loop_c0f0ff6b_F(t1_V0_CN9, Q5sidI_V1, Q5a_V1, Q5b_V1, Q5prologue_V1, Q5info_V1, Q5sidR_V1, Q5kIR_V1, Q5kRI_V1, Q5x_V1, Q5nIR_V1, Q5p_V1, l_V1, aM_V1, r_V1) + + // t1_V0_CN9 = N82 + t1_V0_CN9 := N82 + + // s1_V0_CN10 = U_3e61b158_F(l_V1, r_V1, s1_V0_CN10) + s1_V0_CN10 := U_3e61b158_F(l_V1, r_V1, s1_V0_CN10) + + // N84 = CombineMsg_c7a67a88_F(*message_V1.TypeA, *message_V1.ReceiverA, *message_V1.NonceA, plaintext_V1) + N84 := CombineMsg_c7a67a88_F((ShStructget0of4(message_V1): Ref).val$_Int, (ShStructget1of4(message_V1): Ref).val$_Int, (ShStructget2of4(message_V1): Ref).val$_Int, plaintext_V1) + + // msg_V0_CN7 = N84 + msg_V0_CN7 := N84 + + // return + goto returnLabel + label returnLabel + + // msg_V0 = msg_V0_CN7 + msg_V0 := msg_V0_CN7 + + // ok_V0 = ok_V0_CN8 + ok_V0 := ok_V0_CN8 + + // t1_V0 = t1_V0_CN9 + t1_V0 := t1_V0_CN9 + + // s1_V0 = s1_V0_CN10 + s1_V0 := s1_V0_CN10 +} + +method panic_a4af0e5e_F(v_V0: Tuple2[Ref, Types]) + requires false + + +// decreases +method Error_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) returns (P0_PO0: Int) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf), write) + ensures acc(ErrorMem_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf), write) + + +method internBIO_e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, psk_V0, ekI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Init_1_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, psk_V0, ekI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0, sidR_V0, epkR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Init_2_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0, sidR_V0, epkR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Send_First_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Send_First_Init_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Send_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, x_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Receive_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, x_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, kR_V0, pkI_V0, psk_V0, sidI_V0, epkI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Resp_1_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, kR_V0, pkI_V0, psk_V0, sidI_V0, epkI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0, ekR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Resp_2_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0, ekR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, n_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Receive_First_Resp_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, n_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Send_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Receive_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method GetInit0I_c7a67a88_F(a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Int, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Setup_Init_c0f0ff6b_F(t_V0, rid_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Init_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Init_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Setup_Init_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Init_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_Setup_Init_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Init_r2_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) ==> old(get_e_Setup_Init_r2_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0)) + + +method GetResp0R_c7a67a88_F(a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Int, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Setup_Resp_c0f0ff6b_F(t_V0, rid_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Resp_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Resp_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Setup_Resp_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Resp_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_Setup_Resp_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Resp_r2_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) ==> old(get_e_Setup_Resp_r2_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0)) + + +method GetLtKBio_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], own_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_LtK_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(b2_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_LtK_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> Abs_c7a67a88_F(b2_V0) == gamma_b3aa12e7_F(old(get_e_LtK_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_LtK_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_LtK_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_LtK_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + + +method GetLtpKBio_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], other_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_LtpK_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(b2_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_LtpK_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> Abs_c7a67a88_F(b2_V0) == gamma_b3aa12e7_F(old(get_e_LtpK_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_LtpK_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_LtpK_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_LtpK_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + + +method GetPsKBio_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Int, b3_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_PsK_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(b3_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_PsK_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) == gamma_b3aa12e7_F(old(get_e_PsK_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> Abs_c7a67a88_F(b3_V0) == gamma_b3aa12e7_F(old(get_e_PsK_r3_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_PsK_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_PsK_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_PsK_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_PsK_r2_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) ==> old(get_e_PsK_r2_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0)) + + +method NewPrivateKey_c7a67a88_F(t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (key_V0: Slice[Ref], ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_FrFact_c0f0ff6b_F(t_V0, rid_V0), write) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(key_V0), write) && Size_c7a67a88_F(key_V0) == 32 + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_FrFact_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> Abs_c7a67a88_F(key_V0) == gamma_b3aa12e7_F(old(get_e_FrFact_r1_c0f0ff6b_F(t_V0, rid_V0))) + + +method Timestamp_c7a67a88_F(t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (res_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Timestamp_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 12 + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Timestamp_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures Abs_c7a67a88_F(res_V0) == gamma_b3aa12e7_F(old(get_e_Timestamp_r1_c0f0ff6b_F(t_V0, rid_V0))) + + +method AddMac1_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref], b_V0: D$8d64a7ad_b3aa12e7_, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (mac1_V0: D$8d64a7ad_b3aa12e7_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_MAC_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) && Size_c7a67a88_F(msg_V0) == old(Size_c7a67a88_F(msg_V0)) + ensures mac1_V0 == gamma_b3aa12e7_F(old(get_e_MAC_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_MAC_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures old(Abs_c7a67a88_F(msg_V0)) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)) ==> Abs_c7a67a88_F(msg_V0) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), mac1_V0, zeroStringB_b3aa12e7_F(16)) + + +method AddMac2_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref], b_V0: D$8d64a7ad_b3aa12e7_, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (mac2_V0: D$8d64a7ad_b3aa12e7_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_MAC_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) && Size_c7a67a88_F(msg_V0) == old(Size_c7a67a88_F(msg_V0)) + ensures mac2_V0 == gamma_b3aa12e7_F(old(get_e_MAC_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_MAC_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures old(Abs_c7a67a88_F(msg_V0)) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), getSixthB_b3aa12e7_F(b_V0), zeroStringB_b3aa12e7_F(16)) ==> Abs_c7a67a88_F(msg_V0) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), getSixthB_b3aa12e7_F(b_V0), mac2_V0) + + +method GetCounter_c7a67a88_F(counter_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (res_V0: Int, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Counter_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Counter_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && integer64B_b3aa12e7_F(res_V0) == gamma_b3aa12e7_F(old(get_e_Counter_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures gamma_b3aa12e7_F(old(get_e_Counter_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(integer64_d2674021_F(res_V0)) ==> old(get_e_Counter_r1_c0f0ff6b_F(t_V0, rid_V0)) == integer64_d2674021_F(res_V0) + + +method NewLibraryState_c7a67a88_F(d_V0: Ref) returns (libState_V0: Tuple4[Ref, Int, Int, Int], args_V0: Tuple5[Slice[Ref], Slice[Ref], Int, Slice[Ref], Slice[Ref]], ok_V0: Bool) + + +method Receive_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (packet_V0: Slice[Ref], ok_V0: Bool, term_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_InFact_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(packet_V0), write) && gamma_b3aa12e7_F(term_V0) == Abs_c7a67a88_F(packet_V0) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_InFact_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && term_V0 == old(get_e_InFact_r1_c0f0ff6b_F(t_V0, rid_V0)) + ensures !ok_V0 ==> t1_V0 == t_V0 && acc(token_c3672ae3_F(t_V0), write) && acc(e_InFact_c0f0ff6b_F(t_V0, rid_V0), write) && get_e_InFact_placeDst_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_InFact_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && get_e_InFact_r1_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_InFact_r1_c0f0ff6b_F(t_V0, rid_V0)) + + +method GetPacket_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (res_V0: Slice[Ref], ok_V0: Bool, term_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Message_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(res_V0), write) && gamma_b3aa12e7_F(term_V0) == Abs_c7a67a88_F(res_V0) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Message_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && term_V0 == old(get_e_Message_r1_c0f0ff6b_F(t_V0, rid_V0)) + ensures !ok_V0 ==> t1_V0 == t_V0 && acc(token_c3672ae3_F(t_V0), write) && acc(e_Message_c0f0ff6b_F(t_V0, rid_V0), write) && get_e_Message_placeDst_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_Message_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && get_e_Message_r1_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_Message_r1_c0f0ff6b_F(t_V0, rid_V0)) + + +method ReceiveRequest_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (req_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + + +method ReceiveResponse_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + + +method ReceiveMessage_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (response_V0: ShStruct4[Ref, Ref, Ref, Ref], ok_V0: Bool) + + +method receiveBuffer_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (P0_PO0: Slice[Ref], P1_PO0: Tuple2[Ref, Types]) + + +method getMsgType_c7a67a88_F(packet_V0: Slice[Ref]) returns (P0_PO0: Int) + + +method Send_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], packet_V0: Slice[Ref], t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_, m_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_OutFact_c0f0ff6b_F(t_V0, rid_V0, m_V0), write) && gamma_b3aa12e7_F(m_V0) == Abs_c7a67a88_F(packet_V0) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_OutFact_placeDst_c0f0ff6b_F(t_V0, rid_V0, m_V0)) + ensures !ok_V0 ==> t1_V0 == t_V0 && acc(token_c3672ae3_F(t_V0), write) && acc(e_OutFact_c0f0ff6b_F(t_V0, rid_V0, m_V0), write) && get_e_OutFact_placeDst_c0f0ff6b_F(t_V0, rid_V0, m_V0) == old(get_e_OutFact_placeDst_c0f0ff6b_F(t_V0, rid_V0, m_V0)) + + +method ConsumePacket_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref]) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), 1 / 16) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), 1 / 16) + + +method sendBuffer_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], buffer_V0: Slice[Ref]) returns (P0_PO0: Tuple2[Ref, Types]) + + +method PadMsg_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref]) returns (res_V0: Slice[Ref]) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) >= old(Size_c7a67a88_F(msg_V0)) + ensures Abs_c7a67a88_F(res_V0) == old(Abs_c7a67a88_F(msg_V0)) + + +method AddMacs_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref], b_V0: D$8d64a7ad_b3aa12e7_) returns (mac1_V0: Slice[Ref], mac2_V0: Slice[Ref]) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) && Size_c7a67a88_F(msg_V0) == old(Size_c7a67a88_F(msg_V0)) + ensures acc(Mem_c7a67a88_F(mac1_V0), write) && acc(Mem_c7a67a88_F(mac2_V0), write) + ensures old(Abs_c7a67a88_F(msg_V0)) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)) ==> Abs_c7a67a88_F(msg_V0) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), Abs_c7a67a88_F(mac1_V0), Abs_c7a67a88_F(mac2_V0)) + + +method Println_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Int) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + + +method NewByteString_c7a67a88_F(n_V0: Int) returns (res_V0: Slice[Ref]) + requires n_V0 >= 0 + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == n_V0 + + +method WireGuardBytes_c7a67a88_F() returns (res_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(res_V0), write) + ensures Abs_c7a67a88_F(res_V0) == infoBytesB_b3aa12e7_F() + + +method PreludeBytes_c7a67a88_F() returns (res_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(res_V0), write) + ensures Abs_c7a67a88_F(res_V0) == prologueBytesB_b3aa12e7_F() + + +method ComputeSingleHash_c7a67a88_F(data_V0: Slice[Ref]) returns (res_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(data_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 32 + ensures Abs_c7a67a88_F(res_V0) == hashB__b3aa12e7_F(Abs_c7a67a88_F(data_V0)) + + +method ComputeHash_c7a67a88_F(dst_V0: Slice[Ref], h_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(h_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(dst_V0) == 32 && Size_c7a67a88_F(h_V0) == 32 + ensures acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(h_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(dst_V0) == 32 + ensures Abs_c7a67a88_F(dst_V0) == hashB_b3aa12e7_F(Abs_c7a67a88_F(h_V0), Abs_c7a67a88_F(data_V0)) + + +method ComputeHashInplace_c7a67a88_F(h_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(h_V0) == 32 + ensures acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(h_V0) == 32 + ensures Abs_c7a67a88_F(h_V0) == hashB_b3aa12e7_F(old(Abs_c7a67a88_F(h_V0)), Abs_c7a67a88_F(data_V0)) + + +method ComputeKDF1_c7a67a88_F(dst_V0: Slice[Ref], c_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(c_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(dst_V0) == 32 && Size_c7a67a88_F(c_V0) == 32 + ensures acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(c_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(dst_V0) == 32 + ensures Abs_c7a67a88_F(dst_V0) == kdf1B_b3aa12e7_F(Abs_c7a67a88_F(c_V0), Abs_c7a67a88_F(data_V0)) + + +method ComputeKDF1Inplace_c7a67a88_F(h_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(h_V0) == 32 + ensures acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(h_V0) == 32 + ensures Abs_c7a67a88_F(h_V0) == kdf1B_b3aa12e7_F(old(Abs_c7a67a88_F(h_V0)), Abs_c7a67a88_F(data_V0)) + + +method ComputeKDF2_c7a67a88_F(t0_V0: Slice[Ref], t1_V0: Slice[Ref], key_V0: Slice[Ref], input_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(t0_V0), write) && acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) + requires !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(input_V0), 1 / 16) + requires Size_c7a67a88_F(t0_V0) == 32 && Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(key_V0) == 32 + ensures acc(Mem_c7a67a88_F(t0_V0), write) && acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) + ensures !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(input_V0), 1 / 16) + ensures Size_c7a67a88_F(t0_V0) == 32 && Size_c7a67a88_F(t1_V0) == 32 + ensures !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> Abs_c7a67a88_F(t0_V0) == kdf1B_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(input_V0)) + ensures !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> Abs_c7a67a88_F(t1_V0) == kdf2B_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(input_V0)) + ensures input_V0 == sliceDefault_Intbyte$$$_S_$$$() ==> Abs_c7a67a88_F(t0_V0) == kdf1B__b3aa12e7_F(Abs_c7a67a88_F(key_V0)) + ensures input_V0 == sliceDefault_Intbyte$$$_S_$$$() ==> Abs_c7a67a88_F(t1_V0) == kdf2B__b3aa12e7_F(Abs_c7a67a88_F(key_V0)) + + +method ComputeKDF2Inplace_c7a67a88_F(t1_V0: Slice[Ref], chainKey_V0: Slice[Ref], input_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + requires Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + ensures Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures Abs_c7a67a88_F(chainKey_V0) == kdf1B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + ensures Abs_c7a67a88_F(t1_V0) == kdf2B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + + +method ComputeKDF3Inplace_c7a67a88_F(t1_V0: Slice[Ref], t2_V0: Slice[Ref], chainKey_V0: Slice[Ref], input_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(t2_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + requires Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(t2_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(t2_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + ensures Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(t2_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures Abs_c7a67a88_F(chainKey_V0) == kdf1B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + ensures Abs_c7a67a88_F(t1_V0) == kdf2B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + ensures Abs_c7a67a88_F(t2_V0) == kdf3B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + + +method ComputeMac_c7a67a88_F(dst_V0: Slice[Ref], key_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(dst_V0) == 16 && Size_c7a67a88_F(key_V0) == 32 + ensures acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(dst_V0) == 16 + + +method PublicKey_c7a67a88_F(sk_V0: Slice[Ref]) returns (pk_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && Size_c7a67a88_F(sk_V0) == 32 + ensures acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk_V0), write) && Size_c7a67a88_F(pk_V0) == 32 + ensures Abs_c7a67a88_F(pk_V0) == expB_b3aa12e7_F(generatorB_b3aa12e7_F(), Abs_c7a67a88_F(sk_V0)) + + +method ComputeSharedSecret_c7a67a88_F(sk_V0: Slice[Ref], pk_V0: Slice[Ref]) returns (ss_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk_V0), 1 / 16) && Size_c7a67a88_F(sk_V0) == 32 && Size_c7a67a88_F(pk_V0) == 32 + ensures acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk_V0), 1 / 16) && acc(Mem_c7a67a88_F(ss_V0), write) && Size_c7a67a88_F(ss_V0) == 32 + ensures Abs_c7a67a88_F(ss_V0) == expB_b3aa12e7_F(Abs_c7a67a88_F(pk_V0), Abs_c7a67a88_F(sk_V0)) + + +method EqualsSlice_c7a67a88_F(pk1_V0: Slice[Ref], pk2_V0: Slice[Ref]) returns (res_V0: Bool) + requires acc(Mem_c7a67a88_F(pk1_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk2_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(pk1_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk2_V0), 1 / 16) + ensures res_V0 == (Abs_c7a67a88_F(pk1_V0) == Abs_c7a67a88_F(pk2_V0)) + + +method RandUint32_c7a67a88_F() returns (v_V0: Int, success_V0: Bool) + + +method ZeroNonce_c7a67a88_F() returns (nonce_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(nonce_V0), write) && Size_c7a67a88_F(nonce_V0) == 12 + ensures Abs_c7a67a88_F(nonce_V0) == zeroStringB_b3aa12e7_F(12) + + +method SetZero_c7a67a88_F(arr_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(arr_V0), write) + ensures acc(Mem_c7a67a88_F(arr_V0), write) && Size_c7a67a88_F(arr_V0) == old(Size_c7a67a88_F(arr_V0)) + + +method IsZero_c7a67a88_F(val_V0: Slice[Ref]) returns (P0_PO0: Bool) + requires acc(Mem_c7a67a88_F(val_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(val_V0), 1 / 16) + + +method AeadEnc_c7a67a88_F(key_V0: Slice[Ref], nonce_V0: Slice[Ref], plaintext_V0: Slice[Ref], additionalData_V0: Slice[Ref]) returns (res_V0: Slice[Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) + requires !(plaintext_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(plaintext_V0), 1 / 16) + requires !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + requires Size_c7a67a88_F(key_V0) == 32 && Size_c7a67a88_F(nonce_V0) == 12 + ensures acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) + ensures !(plaintext_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(plaintext_V0), 1 / 16) + ensures !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == (plaintext_V0 == sliceDefault_Intbyte$$$_S_$$$() ? 0 : Size_c7a67a88_F(plaintext_V0)) + 16 + ensures ok_V0 ==> Abs_c7a67a88_F(res_V0) == aeadB_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(nonce_V0), SafeAbs_c7a67a88_F(plaintext_V0, 0), SafeAbs_c7a67a88_F(additionalData_V0, 0)) + + +method AeadDec_c7a67a88_F(key_V0: Slice[Ref], nonce_V0: Slice[Ref], ciphertext_V0: Slice[Ref], additionalData_V0: Slice[Ref]) returns (res_V0: Slice[Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) && acc(Mem_c7a67a88_F(ciphertext_V0), 1 / 16) + requires !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + requires Size_c7a67a88_F(key_V0) == 32 && Size_c7a67a88_F(nonce_V0) == 12 + ensures acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) && acc(Mem_c7a67a88_F(ciphertext_V0), 1 / 16) + ensures !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == Size_c7a67a88_F(ciphertext_V0) - 16 + ensures ok_V0 ==> Abs_c7a67a88_F(ciphertext_V0) == aeadB_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(nonce_V0), Abs_c7a67a88_F(res_V0), SafeAbs_c7a67a88_F(additionalData_V0, 0)) + + +method NonceToBytes_c7a67a88_F(nonce_V0: Int) returns (res_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 12 + ensures Abs_c7a67a88_F(res_V0) == integer64B_b3aa12e7_F(nonce_V0) + + +method CombineMsg_c7a67a88_F(t_V0: Int, sid_V0: Int, nonce_V0: Int, payload_V0: Slice[Ref]) returns (res_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(payload_V0), write) + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == old(Size_c7a67a88_F(payload_V0)) + 16 + + +method MarshalRequest_c7a67a88_F(req_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) returns (res_V0: Slice[Ref]) + requires acc(RequestMem_c7a67a88_F(req_V0), 1 / 16) + ensures acc(RequestMem_c7a67a88_F(req_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 148 + ensures RequestAbs_c7a67a88_F(req_V0) == Abs_c7a67a88_F(res_V0) + + +method UnmarshalRequest_c7a67a88_F(packet_V0: Slice[Ref]) returns (req_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> Size_c7a67a88_F(packet_V0) == 148 && acc(RequestMem_c7a67a88_F(req_V0), write) + ensures ok_V0 ==> Abs_c7a67a88_F(packet_V0) == RequestAbs_c7a67a88_F(req_V0) + + +method MarshalResponse_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) returns (res_V0: Slice[Ref]) + requires acc(ResponseMem_c7a67a88_F(response_V0), 1 / 16) + ensures acc(ResponseMem_c7a67a88_F(response_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 92 + ensures Abs_c7a67a88_F(res_V0) == ResponseAbs_c7a67a88_F(response_V0) + + +method UnmarshalResponse_c7a67a88_F(packet_V0: Slice[Ref]) returns (response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> Size_c7a67a88_F(packet_V0) == 92 && acc(ResponseMem_c7a67a88_F(response_V0), write) + ensures ok_V0 ==> Abs_c7a67a88_F(packet_V0) == ResponseAbs_c7a67a88_F(response_V0) + + +method MarshalMessage_c7a67a88_F(message_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (res_V0: Slice[Ref]) + requires true && acc((ShStructget0of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget1of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget2of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget3of4(message_V0): Ref).val$_Slice_Ref, 1 / 16) && acc(Mem_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref), 1 / 16) && Size_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref) >= 16 + ensures true && acc((ShStructget0of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget1of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget2of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget3of4(message_V0): Ref).val$_Slice_Ref, 1 / 16) && acc(Mem_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == Size_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref) + 16 + ensures Abs_c7a67a88_F(res_V0) == tuple4B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of4(message_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of4(message_V0): Ref).val$_Int), integer64B_b3aa12e7_F((ShStructget2of4(message_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref)) + + +method UnmarshalMessage_c7a67a88_F(packet_V0: Slice[Ref]) returns (message_V0: ShStruct4[Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> Size_c7a67a88_F(packet_V0) >= 16 && (true && acc((ShStructget0of4(message_V0): Ref).val$_Int, write) && acc((ShStructget1of4(message_V0): Ref).val$_Int, write) && acc((ShStructget2of4(message_V0): Ref).val$_Int, write) && acc((ShStructget3of4(message_V0): Ref).val$_Slice_Ref, write)) && acc(Mem_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref) == Size_c7a67a88_F(packet_V0) - 16 + ensures ok_V0 ==> Abs_c7a67a88_F(packet_V0) == tuple4B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of4(message_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of4(message_V0): Ref).val$_Int), integer64B_b3aa12e7_F((ShStructget2of4(message_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref)) + + +method patternRequirement1_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, ltpk_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_, x8_V0: D$9084e2f5_1186dc0d_, x9_V0: D$9084e2f5_1186dc0d_, x10_V0: D$9084e2f5_1186dc0d_, x11_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(St_Init_1_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), kI_V0, ltpk_V0, ekI_V0, psk_V0, c3_V0, h4_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M2_lin_35781e6d_F(rid_V0, sidR_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M2_lin_35781e6d_F(rid_V0, x1_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0, x8_V0, x9_V0, x10_V0, x11_V0) + ensures acc(patternRequirement1EPKRWitness_8142c2d2_F(x2_V0), write) + + +method patternRequirement1_2_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, ltpk_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, o_V0: D$9084e2f5_1186dc0d_) + requires acc(patternRequirement1EPKRWitness_8142c2d2_F(epkR_V0), write) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(St_Init_1_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), kI_V0, ltpk_V0, ekI_V0, psk_V0, c3_V0, h4_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M2_lin_35781e6d_F(rid_V0, sidR_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M2_lin_35781e6d_F(rid_V0, x1_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, o_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, x2_V0, x3_V0) + + +method patternRequirement3_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_, x8_V0: D$9084e2f5_1186dc0d_, x9_V0: D$9084e2f5_1186dc0d_, x10_V0: D$9084e2f5_1186dc0d_, x11_V0: D$9084e2f5_1186dc0d_, x12_V0: D$9084e2f5_1186dc0d_, x13_V0: D$9084e2f5_1186dc0d_, x14_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(Setup_Resp_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0))) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M1_lin_68d987ee_F(sidI_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, ts_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M1_lin_68d987ee_F(x1_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0, x8_V0, x9_V0, x10_V0, x11_V0, x12_V0, x13_V0, x14_V0) + ensures acc(patternRequirement3EPKIWitness_8142c2d2_F(x2_V0), write) + + +method patternRequirement3_2_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, o_V0: D$9084e2f5_1186dc0d_) + requires acc(patternRequirement3EPKIWitness_8142c2d2_F(epkI_V0), write) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(Setup_Resp_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0))) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M1_lin_68d987ee_F(sidI_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, ts_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M1_lin_68d987ee_F(x1_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, o_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, x2_V0, x3_V0, x4_V0) + + +method patternRequirement4_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, ridOther_V0: D$9084e2f5_1186dc0d_, ownKey_V0: D$9084e2f5_1186dc0d_, foreignKey_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, msg_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_], isInitiator_V0: Bool) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) + requires isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires isInitiator_V0 ==> (Multiset(St_Init_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, ownKey_V0, foreignKey_V0)) subset s_V0) + requires !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires !isInitiator_V0 ==> (Multiset(St_Resp_2_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) || (Multiset(St_Resp_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, n_V0, aead_d2674021_F(foreignKey_V0, n_V0, msg_V0, zeroString_d2674021_F(0)))) + ensures acc(token_c3672ae3_F(p_V0), write) + ensures isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, x1_V0, aead_d2674021_F(foreignKey_V0, x2_V0, x3_V0, zeroString_d2674021_F(0))) + ensures acc(patternRequirement4NonceWitness_8142c2d2_F(x1_V0), write) + + +method patternRequirement4_2_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, ridOther_V0: D$9084e2f5_1186dc0d_, ownKey_V0: D$9084e2f5_1186dc0d_, foreignKey_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, msg_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_], isInitiator_V0: Bool) returns (x1_V0: D$9084e2f5_1186dc0d_, o_V0: D$9084e2f5_1186dc0d_) + requires acc(patternRequirement4NonceWitness_8142c2d2_F(n_V0), write) + requires acc(token_c3672ae3_F(p_V0), write) + requires isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires isInitiator_V0 ==> (Multiset(St_Init_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, ownKey_V0, foreignKey_V0)) subset s_V0) + requires !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires !isInitiator_V0 ==> (Multiset(St_Resp_2_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) || (Multiset(St_Resp_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, n_V0, aead_d2674021_F(foreignKey_V0, n_V0, msg_V0, zeroString_d2674021_F(0)))) + ensures acc(token_c3672ae3_F(p_V0), write) + ensures isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, o_V0, aead_d2674021_F(foreignKey_V0, n_V0, x1_V0, zeroString_d2674021_F(0))) + + +method patternProperty1_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, ltpk_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(St_Init_1_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), kI_V0, ltpk_V0, ekI_V0, psk_V0, c3_V0, h4_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M2_35781e6d_F(rid_V0, sidR_V0, kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M2_35781e6d_F(rid_V0, x1_V0, kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, x2_V0, x3_V0, x4_V0) + + +method patternProperty3_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(Setup_Resp_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0))) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M1_68d987ee_F(sidI_V0, kR_V0, pkI_V0, epkI_V0, ts_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M1_68d987ee_F(x1_V0, kR_V0, pkI_V0, x2_V0, x3_V0, x4_V0, x5_V0) + + +method patternProperty4_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, ridOther_V0: D$9084e2f5_1186dc0d_, ownKey_V0: D$9084e2f5_1186dc0d_, foreignKey_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, msg_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_], isInitiator_V0: Bool) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) + requires isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires isInitiator_V0 ==> (Multiset(St_Init_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, ownKey_V0, foreignKey_V0)) subset s_V0) + requires !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires !isInitiator_V0 ==> (Multiset(St_Resp_2_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) || (Multiset(St_Resp_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, n_V0, aead_d2674021_F(foreignKey_V0, n_V0, msg_V0, zeroString_d2674021_F(0)))) + ensures acc(token_c3672ae3_F(p_V0), write) + ensures isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, x1_V0, aead_d2674021_F(foreignKey_V0, x1_V0, x2_V0, zeroString_d2674021_F(0))) diff --git a/src/test/resources/biabduction/frontends/gobra/responder_main.go.vpr b/src/test/resources/biabduction/frontends/gobra/responder_main.go.vpr new file mode 100644 index 00000000..5d6ac62f --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/responder_main.go.vpr @@ -0,0 +1,7177 @@ +domain String { + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit(): Int + + unique function stringLit5375636365737320436f6e73756d696e672052657175657374(): Int + + unique function stringLit537563636573732053656e64696e6720526573706f6e7365(): Int + + unique function stringLit4e6f6973655f494b70736b325f32353531395f436861436861506f6c795f424c414b453273(): Int + + unique function stringLit576972654775617264207631207a78326334204a61736f6e407a783263342e636f6d(): Int + + axiom { + (forall l: Int, r: Int :: { strLen(strConcat(l, r)) } strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit5375636365737320436f6e73756d696e672052657175657374()) == 25 + } + + axiom { + strLen(stringLit537563636573732053656e64696e6720526573706f6e7365()) == 24 + } + + axiom { + strLen(stringLit4e6f6973655f494b70736b325f32353531395f436861436861506f6c795f424c414b453273()) == 37 + } + + axiom { + strLen(stringLit576972654775617264207631207a78326334204a61736f6e407a783263342e636f6d()) == 34 + } +} + +domain Types { + + function empty_interface_Types(): Types + + unique function empty_interface_Types_tag(): Int + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + function nil_Types(): Types + + unique function nil_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + function tag_Types(t: Types): Int + + axiom { + (forall a: Types :: { behavioral_subtype_Types(a, empty_interface_Types()) } behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + (forall a: Types :: { behavioral_subtype_Types(a, a) } behavioral_subtype_Types(a, a)) + } + + axiom { + (forall a: Types, b: Types, c: Types :: { behavioral_subtype_Types(a, b),behavioral_subtype_Types(b, c) } behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> behavioral_subtype_Types(a, c)) + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } +} + +domain Emb_1_Intbyte$$$_S_$$$ { + + +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: { (eq(x, y): Bool) } (eq(x, y): Bool) == ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget0of4(x): T0) } (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget1of4(x): T1) } (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget2of4(x): T2) } (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: { (ShStructget3of4(x): T3) } (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == x) + } +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: { (eq(x, y): Bool) } (eq(x, y): Bool) == ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget0of5(x): T0) } (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget1of5(x): T1) } (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget2of5(x): T2) } (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget3of5(x): T3) } (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: { (ShStructget4of5(x): T4) } (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == x) + } +} + +domain ShStruct7[T0, T1, T2, T3, T4, T5, T6] { + + function ShStructrev0of7(v0: T0): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev1of7(v1: T1): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev2of7(v2: T2): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev3of7(v3: T3): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev4of7(v4: T4): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev5of7(v5: T5): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructrev6of7(v6: T6): ShStruct7[T0, T1, T2, T3, T4, T5, T6] + + function ShStructget0of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T0 + + function ShStructget1of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T1 + + function ShStructget2of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T2 + + function ShStructget3of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T3 + + function ShStructget4of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T4 + + function ShStructget5of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T5 + + function ShStructget6of7(x: ShStruct7[T0, T1, T2, T3, T4, T5, T6]): T6 + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6], y: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (eq(x, y): Bool) } (eq(x, y): Bool) == ((ShStructget0of7(x): T0) == (ShStructget0of7(y): T0) && (ShStructget1of7(x): T1) == (ShStructget1of7(y): T1) && (ShStructget2of7(x): T2) == (ShStructget2of7(y): T2) && (ShStructget3of7(x): T3) == (ShStructget3of7(y): T3) && (ShStructget4of7(x): T4) == (ShStructget4of7(y): T4) && (ShStructget5of7(x): T5) == (ShStructget5of7(y): T5) && (ShStructget6of7(x): T6) == (ShStructget6of7(y): T6))) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget0of7(x): T0) } (ShStructrev0of7((ShStructget0of7(x): T0)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget1of7(x): T1) } (ShStructrev1of7((ShStructget1of7(x): T1)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget2of7(x): T2) } (ShStructrev2of7((ShStructget2of7(x): T2)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget3of7(x): T3) } (ShStructrev3of7((ShStructget3of7(x): T3)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget4of7(x): T4) } (ShStructrev4of7((ShStructget4of7(x): T4)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget5of7(x): T5) } (ShStructrev5of7((ShStructget5of7(x): T5)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } + + axiom { + (forall x: ShStruct7[T0, T1, T2, T3, T4, T5, T6] :: { (ShStructget6of7(x): T6) } (ShStructrev6of7((ShStructget6of7(x): T6)): ShStruct7[T0, T1, T2, T3, T4, T5, T6]) == x) + } +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: { (eq(l, r): Bool) } (eq(l, r): Bool) == (l == r)) + } +} + +domain Tuple5[T0, T1, T2, T3, T4] { + + function tuple5(t0: T0, t1: T1, t2: T2, t3: T3, t4: T4): Tuple5[T0, T1, T2, T3, T4] + + function get0of5(p: Tuple5[T0, T1, T2, T3, T4]): T0 + + function get1of5(p: Tuple5[T0, T1, T2, T3, T4]): T1 + + function get2of5(p: Tuple5[T0, T1, T2, T3, T4]): T2 + + function get3of5(p: Tuple5[T0, T1, T2, T3, T4]): T3 + + function get4of5(p: Tuple5[T0, T1, T2, T3, T4]): T4 + + axiom getter_over_tuple5 { + (forall t0: T0, t1: T1, t2: T2, t3: T3, t4: T4 :: { (tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4]) } (get0of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T0) == t0 && (get1of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T1) == t1 && (get2of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T2) == t2 && (get3of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T3) == t3 && (get4of5((tuple5(t0, t1, t2, t3, t4): Tuple5[T0, T1, T2, T3, T4])): T4) == t4) + } + + axiom tuple5_over_getter { + (forall p: Tuple5[T0, T1, T2, T3, T4] :: { (get0of5(p): T0) } { (get1of5(p): T1) } { (get2of5(p): T2) } { (get3of5(p): T3) } { (get4of5(p): T4) } (tuple5((get0of5(p): T0), (get1of5(p): T1), (get2of5(p): T2), (get3of5(p): T3), (get4of5(p): T4)): Tuple5[T0, T1, T2, T3, T4]) == p) + } +} + +domain Tuple7[T0, T1, T2, T3, T4, T5, T6] { + + function tuple7(t0: T0, t1: T1, t2: T2, t3: T3, t4: T4, t5: T5, t6: T6): Tuple7[T0, T1, T2, T3, T4, T5, T6] + + function get0of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T0 + + function get1of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T1 + + function get2of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T2 + + function get3of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T3 + + function get4of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T4 + + function get5of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T5 + + function get6of7(p: Tuple7[T0, T1, T2, T3, T4, T5, T6]): T6 + + axiom getter_over_tuple7 { + (forall t0: T0, t1: T1, t2: T2, t3: T3, t4: T4, t5: T5, t6: T6 :: { (tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6]) } (get0of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T0) == t0 && (get1of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T1) == t1 && (get2of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T2) == t2 && (get3of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T3) == t3 && (get4of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T4) == t4 && (get5of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T5) == t5 && (get6of7((tuple7(t0, t1, t2, t3, t4, t5, t6): Tuple7[T0, T1, T2, T3, T4, T5, T6])): T6) == t6) + } + + axiom tuple7_over_getter { + (forall p: Tuple7[T0, T1, T2, T3, T4, T5, T6] :: { (get0of7(p): T0) } { (get1of7(p): T1) } { (get2of7(p): T2) } { (get3of7(p): T3) } { (get4of7(p): T4) } { (get5of7(p): T5) } { (get6of7(p): T6) } (tuple7((get0of7(p): T0), (get1of7(p): T1), (get2of7(p): T2), (get3of7(p): T3), (get4of7(p): T4), (get5of7(p): T5), (get6of7(p): T6)): Tuple7[T0, T1, T2, T3, T4, T5, T6]) == p) + } +} + +domain Tuple4[T0, T1, T2, T3] { + + function tuple4(t0: T0, t1: T1, t2: T2, t3: T3): Tuple4[T0, T1, T2, T3] + + function get0of4(p: Tuple4[T0, T1, T2, T3]): T0 + + function get1of4(p: Tuple4[T0, T1, T2, T3]): T1 + + function get2of4(p: Tuple4[T0, T1, T2, T3]): T2 + + function get3of4(p: Tuple4[T0, T1, T2, T3]): T3 + + axiom getter_over_tuple4 { + (forall t0: T0, t1: T1, t2: T2, t3: T3 :: { (tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3]) } (get0of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T0) == t0 && (get1of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T1) == t1 && (get2of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T2) == t2 && (get3of4((tuple4(t0, t1, t2, t3): Tuple4[T0, T1, T2, T3])): T3) == t3) + } + + axiom tuple4_over_getter { + (forall p: Tuple4[T0, T1, T2, T3] :: { (get0of4(p): T0) } { (get1of4(p): T1) } { (get2of4(p): T2) } { (get3of4(p): T3) } (tuple4((get0of4(p): T0), (get1of4(p): T1), (get2of4(p): T2), (get3of4(p): T3)): Tuple4[T0, T1, T2, T3]) == p) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: { (tuple2(t0, t1): Tuple2[T0, T1]) } (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: { (get0of2(p): T0) } { (get1of2(p): T1) } (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ConstantMacSize_c7a67a88_G { + + function constant_MacSize_c7a67a88_G(): Int + + axiom get_constantMacSize_c7a67a88_G { + constant_MacSize_c7a67a88_G() == 16 + } +} + +domain ConstantNonceSize_c7a67a88_G { + + function constant_NonceSize_c7a67a88_G(): Int + + axiom get_constantNonceSize_c7a67a88_G { + constant_NonceSize_c7a67a88_G() == 12 + } +} + +domain ConstantKeySize_c7a67a88_G { + + function constant_KeySize_c7a67a88_G(): Int + + axiom get_constantKeySize_c7a67a88_G { + constant_KeySize_c7a67a88_G() == 32 + } +} + +domain ConstantHashSize_c7a67a88_G { + + function constant_HashSize_c7a67a88_G(): Int + + axiom get_constantHashSize_c7a67a88_G { + constant_HashSize_c7a67a88_G() == 32 + } +} + +domain ConstantwireguardString_c7a67a88_G { + + function constant_wireguardString_c7a67a88_G(): Int + + axiom get_constantwireguardString_c7a67a88_G { + constant_wireguardString_c7a67a88_G() == stringLit4e6f6973655f494b70736b325f32353531395f436861436861506f6c795f424c414b453273() + } +} + +domain ConstantpreludeString_c7a67a88_G { + + function constant_preludeString_c7a67a88_G(): Int + + axiom get_constantpreludeString_c7a67a88_G { + constant_preludeString_c7a67a88_G() == stringLit576972654775617264207631207a78326334204a61736f6e407a783263342e636f6d() + } +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function soffset(s: Slice[T]): Int + + function slen(s: Slice[T]): Int + + function scap(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } { (scap(s): Int) } (slen(s): Int) <= (scap(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int),(scap(s): Int) } { (ShArraylen((sarray(s): ShArray[T])): Int) } (soffset(s): Int) + (scap(s): Int) <= (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: { (smake(a, o, l, c): Slice[T]) } 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a && ((soffset((smake(a, o, l, c): Slice[T])): Int) == o && ((slen((smake(a, o, l, c): Slice[T])): Int) == l && (scap((smake(a, o, l, c): Slice[T])): Int) == c))) + } + + axiom { + (forall s: Slice[T] :: { (sarray(s): ShArray[T]) } { (soffset(s): Int) } { (slen(s): Int) } { (scap(s): Int) } s == (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraylen(a: ShArray[T]): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraysecond(r: T): Int + + axiom { + (forall a: ShArray[T], i: Int :: { (ShArrayloc(a, i): T) } 0 <= i && i < (ShArraylen(a): Int) ==> (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } + + axiom { + (forall a: ShArray[T] :: { (ShArraylen(a): Int) } (ShArraylen(a): Int) >= 0) + } +} + +domain D$fe170ee1_c3672ae3_ { + + function place_c3672ae3_F(p_V0: Int): D$fe170ee1_c3672ae3_ + + function dfltD$fe170ee1_c3672ae3_(): D$fe170ee1_c3672ae3_ +} + +domain D$96de1481_db7e1422_ { + + function const_g_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_00_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_p_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_i_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_1_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_0_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_2_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_e_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_Init_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_Resp_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function const_4_pub_db7e1422_F(): D$96de1481_db7e1422_ + + function pub_msg_db7e1422_F(P0_PI0: Int): D$96de1481_db7e1422_ + + function pub_integer64_db7e1422_F(P0_PI0: Int): D$96de1481_db7e1422_ + + function pub_integer32_db7e1422_F(P0_PI0: Int): D$96de1481_db7e1422_ + + function dfltD$96de1481_db7e1422_(): D$96de1481_db7e1422_ +} + +domain D$f64ace72_9e8b0260_ { + + function fr_msg_9e8b0260_F(P0_PI0: Int): D$f64ace72_9e8b0260_ + + function fr_integer64_9e8b0260_F(P0_PI0: Int): D$f64ace72_9e8b0260_ + + function fr_integer32_9e8b0260_F(P0_PI0: Int): D$f64ace72_9e8b0260_ + + function dfltD$f64ace72_9e8b0260_(): D$f64ace72_9e8b0260_ +} + +domain D$9084e2f5_1186dc0d_ { + + function freshTerm_1186dc0d_F(f_V0: D$f64ace72_9e8b0260_): D$9084e2f5_1186dc0d_ + + function getFreshTerm_1186dc0d_F(t_V0: D$9084e2f5_1186dc0d_): D$f64ace72_9e8b0260_ + + function pubTerm_1186dc0d_F(p_V0: D$96de1481_db7e1422_): D$9084e2f5_1186dc0d_ + + function getPubTerm_1186dc0d_F(t_V0: D$9084e2f5_1186dc0d_): D$96de1481_db7e1422_ + + function aead_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function decrypt_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex11_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex12_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex13_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex14_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex15_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex16_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex17_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex21_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex22_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex23_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex24_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex25_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex26_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex27_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex41_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex42_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex43_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ex44_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function exp_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function extract_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function format1_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function format2_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function format4_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function fst_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function h_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function h__1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function inv_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1__1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2__1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf3_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function one_1186dc0d_F(): D$9084e2f5_1186dc0d_ + + function pair_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function snd_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ok_1186dc0d_F(): D$9084e2f5_1186dc0d_ + + function verify_1186dc0d_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function Mult_1186dc0d_F(x_V0: D$9084e2f5_1186dc0d_, y_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function dfltD$9084e2f5_1186dc0d_(): D$9084e2f5_1186dc0d_ + + axiom { + (forall f_V0: D$f64ace72_9e8b0260_ :: { freshTerm_1186dc0d_F(f_V0) } getFreshTerm_1186dc0d_F(freshTerm_1186dc0d_F(f_V0)) == f_V0) + } + + axiom { + (forall p_V0: D$96de1481_db7e1422_ :: { pubTerm_1186dc0d_F(p_V0) } getPubTerm_1186dc0d_F(pubTerm_1186dc0d_F(p_V0)) == p_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, x_3_V0)) } Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, x_3_V0)) == Mult_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0), x_3_V0)) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, x_2_V0) } Mult_1186dc0d_F(x_1_V0, x_2_V0) == Mult_1186dc0d_F(x_2_V0, x_1_V0)) + } + + axiom { + (forall a_V0: D$9084e2f5_1186dc0d_, k_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_ :: { decrypt_1186dc0d_F(k_V0, n_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) } decrypt_1186dc0d_F(k_V0, n_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) == p_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex11_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex11_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x1_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex12_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex12_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x2_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex13_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex13_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x3_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex14_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex14_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x4_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex15_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex15_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x5_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex16_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex16_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x6_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex17_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex17_1186dc0d_F(format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x7_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex21_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex21_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x1_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex22_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex22_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x2_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex23_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex23_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x3_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex24_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex24_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x4_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex25_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex25_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x5_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex26_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex26_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x6_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { ex27_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) } ex27_1186dc0d_F(format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0)) == x7_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex41_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex41_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x1_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex42_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex42_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x2_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex43_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex43_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x3_V0) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { ex44_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) } ex44_1186dc0d_F(format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) == x4_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { exp_1186dc0d_F(x_1_V0, one_1186dc0d_F()) } exp_1186dc0d_F(x_1_V0, one_1186dc0d_F()) == x_1_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { exp_1186dc0d_F(exp_1186dc0d_F(x_1_V0, x_2_V0), x_3_V0) } exp_1186dc0d_F(exp_1186dc0d_F(x_1_V0, x_2_V0), x_3_V0) == exp_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, x_3_V0))) + } + + axiom { + (forall a_V0: D$9084e2f5_1186dc0d_, k_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_ :: { extract_1186dc0d_F(aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) } extract_1186dc0d_F(aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) == a_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { fst_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) } fst_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) == x_1_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { inv_1186dc0d_F(inv_1186dc0d_F(x_1_V0)) } inv_1186dc0d_F(inv_1186dc0d_F(x_1_V0)) == x_1_V0) + } + + axiom { + inv_1186dc0d_F(one_1186dc0d_F()) == one_1186dc0d_F() + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { inv_1186dc0d_F(Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) } inv_1186dc0d_F(Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) == Mult_1186dc0d_F(x_1_V0, inv_1186dc0d_F(x_2_V0))) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { snd_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) } snd_1186dc0d_F(pair_1186dc0d_F(x_1_V0, x_2_V0)) == x_2_V0) + } + + axiom { + (forall a_V0: D$9084e2f5_1186dc0d_, k_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_ :: { verify_1186dc0d_F(k_V0, n_V0, a_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) } verify_1186dc0d_F(k_V0, n_V0, a_V0, aead_1186dc0d_F(k_V0, n_V0, p_V0, a_V0)) == ok_1186dc0d_F()) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) } Mult_1186dc0d_F(x_1_V0, Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(x_1_V0))) == x_2_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, inv_1186dc0d_F(x_1_V0)) } Mult_1186dc0d_F(x_1_V0, inv_1186dc0d_F(x_1_V0)) == one_1186dc0d_F()) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_1_V0, one_1186dc0d_F()) } Mult_1186dc0d_F(x_1_V0, one_1186dc0d_F()) == x_1_V0) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_2_V0, Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0)))) } Mult_1186dc0d_F(x_2_V0, Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0)))) == Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(x_1_V0))) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0))) } Mult_1186dc0d_F(x_2_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0))) == inv_1186dc0d_F(x_1_V0)) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_, x_3_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(x_3_V0, Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0))) } Mult_1186dc0d_F(x_3_V0, Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0))) == Mult_1186dc0d_F(x_3_V0, inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0)))) + } + + axiom { + (forall x_1_V0: D$9084e2f5_1186dc0d_, x_2_V0: D$9084e2f5_1186dc0d_ :: { Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0)) } Mult_1186dc0d_F(inv_1186dc0d_F(x_1_V0), inv_1186dc0d_F(x_2_V0)) == inv_1186dc0d_F(Mult_1186dc0d_F(x_1_V0, x_2_V0))) + } +} + +domain D$46be403b_2716b91c_ { + + function SendSIDI_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSendSIDI_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function OutFormat1_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getOutFormat1_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function Commit_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getCommit_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function Secret_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSecret_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function InFormat2_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getInFormat2_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function SentFirstInit_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSentFirstInit_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function Running_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getRunning_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function OutFormat4_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getOutFormat4_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function SentInitLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSentInitLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function AlreadyKnownSIDR_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getAlreadyKnownSIDR_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function ReceivedInitLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getReceivedInitLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function InFormat4_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getInFormat4_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function InFormat1_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getInFormat1_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function SendSIDR_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSendSIDR_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function OutFormat2_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getOutFormat2_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function ReceivedFirstResp_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getReceivedFirstResp_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function SentRespLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getSentRespLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function AlreadyKnownSIDI_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getAlreadyKnownSIDI_2716b91c_F(f_V0: D$46be403b_2716b91c_): D$9084e2f5_1186dc0d_ + + function ReceivedRespLoop_2716b91c_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_): D$46be403b_2716b91c_ + + function getReceivedRespLoop_2716b91c_F(f_V0: D$46be403b_2716b91c_): Seq[D$9084e2f5_1186dc0d_] + + function dfltD$46be403b_2716b91c_(): D$46be403b_2716b91c_ + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { SendSIDI_2716b91c_F(t1_V0) } getSendSIDI_2716b91c_F(SendSIDI_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { OutFormat1_2716b91c_F(t1_V0) } getOutFormat1_2716b91c_F(OutFormat1_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { Commit_2716b91c_F(t1_V0, t2_V0, t3_V0) } getCommit_2716b91c_F(Commit_2716b91c_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { Secret_2716b91c_F(t1_V0, t2_V0, t3_V0) } getSecret_2716b91c_F(Secret_2716b91c_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { InFormat2_2716b91c_F(t1_V0) } getInFormat2_2716b91c_F(InFormat2_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_ :: { SentFirstInit_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getSentFirstInit_2716b91c_F(SentFirstInit_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { Running_2716b91c_F(t1_V0, t2_V0, t3_V0) } getRunning_2716b91c_F(Running_2716b91c_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { OutFormat4_2716b91c_F(t1_V0) } getOutFormat4_2716b91c_F(OutFormat4_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { SentInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getSentInitLoop_2716b91c_F(SentInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { AlreadyKnownSIDR_2716b91c_F(t1_V0) } getAlreadyKnownSIDR_2716b91c_F(AlreadyKnownSIDR_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { ReceivedInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getReceivedInitLoop_2716b91c_F(ReceivedInitLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { InFormat4_2716b91c_F(t1_V0) } getInFormat4_2716b91c_F(InFormat4_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { InFormat1_2716b91c_F(t1_V0) } getInFormat1_2716b91c_F(InFormat1_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { SendSIDR_2716b91c_F(t1_V0) } getSendSIDR_2716b91c_F(SendSIDR_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { OutFormat2_2716b91c_F(t1_V0) } getOutFormat2_2716b91c_F(OutFormat2_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_ :: { ReceivedFirstResp_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getReceivedFirstResp_2716b91c_F(ReceivedFirstResp_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { SentRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getSentRespLoop_2716b91c_F(SentRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_ :: { AlreadyKnownSIDI_2716b91c_F(t1_V0) } getAlreadyKnownSIDI_2716b91c_F(AlreadyKnownSIDI_2716b91c_F(t1_V0)) == t1_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_ :: { ReceivedRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0) } getReceivedRespLoop_2716b91c_F(ReceivedRespLoop_2716b91c_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0)) + } +} + +domain D$226445f2_3e61b158_ { + + function Setup_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSetup_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtK_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtK_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtpK_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtpK_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function PsK_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getPsK_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function FrFact_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getFrFact_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Timestamp_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getTimestamp_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function MAC_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMAC_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Init_1_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Init_1_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function OutFact_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getOutFact_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function InFact_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getInFact_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Init_2_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Init_2_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Message_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMessage_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Init_3_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Init_3_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Counter_Init_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getCounter_Init_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Setup_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSetup_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtK_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtK_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function LtpK_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getLtpK_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function PsK_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getPsK_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function InFact_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getInFact_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Resp_1_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_, t12_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Resp_1_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function FrFact_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getFrFact_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function MAC_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMAC_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Resp_2_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Resp_2_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function OutFact_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getOutFact_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function St_Resp_3_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getSt_Resp_3_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Counter_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getCounter_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function Message_Resp_3e61b158_F(t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_): D$226445f2_3e61b158_ + + function getMessage_Resp_3e61b158_F(f_V0: D$226445f2_3e61b158_): Seq[D$9084e2f5_1186dc0d_] + + function getTag_3e61b158_F(f_V0: D$226445f2_3e61b158_): Int + + function persistent_3e61b158_F(f_V0: D$226445f2_3e61b158_): Bool + + function dfltD$226445f2_3e61b158_(): D$226445f2_3e61b158_ + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_ :: { Setup_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getSetup_Init_3e61b158_F(Setup_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) && getTag_3e61b158_F(Setup_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == 0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtK_Init_3e61b158_F(LtK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 1) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtpK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtpK_Init_3e61b158_F(LtpK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtpK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 2) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_ :: { PsK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0) } getPsK_Init_3e61b158_F(PsK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0) && getTag_3e61b158_F(PsK_Init_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == 3) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { FrFact_Init_3e61b158_F(t1_V0, t2_V0) } getFrFact_Init_3e61b158_F(FrFact_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(FrFact_Init_3e61b158_F(t1_V0, t2_V0)) == 4) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Timestamp_Init_3e61b158_F(t1_V0, t2_V0) } getTimestamp_Init_3e61b158_F(Timestamp_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Timestamp_Init_3e61b158_F(t1_V0, t2_V0)) == 5) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { MAC_Init_3e61b158_F(t1_V0, t2_V0) } getMAC_Init_3e61b158_F(MAC_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(MAC_Init_3e61b158_F(t1_V0, t2_V0)) == 6) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_ :: { St_Init_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0) } getSt_Init_1_3e61b158_F(St_Init_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0) && getTag_3e61b158_F(St_Init_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0)) == 7) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { OutFact_Init_3e61b158_F(t1_V0, t2_V0) } getOutFact_Init_3e61b158_F(OutFact_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(OutFact_Init_3e61b158_F(t1_V0, t2_V0)) == 8) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { InFact_Init_3e61b158_F(t1_V0, t2_V0) } getInFact_Init_3e61b158_F(InFact_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(InFact_Init_3e61b158_F(t1_V0, t2_V0)) == 9) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Init_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Init_2_3e61b158_F(St_Init_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Init_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 10) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Message_Init_3e61b158_F(t1_V0, t2_V0) } getMessage_Init_3e61b158_F(Message_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Message_Init_3e61b158_F(t1_V0, t2_V0)) == 11) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Init_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Init_3_3e61b158_F(St_Init_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Init_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 12) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Counter_Init_3e61b158_F(t1_V0, t2_V0) } getCounter_Init_3e61b158_F(Counter_Init_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Counter_Init_3e61b158_F(t1_V0, t2_V0)) == 13) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_ :: { Setup_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getSetup_Resp_3e61b158_F(Setup_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) && getTag_3e61b158_F(Setup_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == 14) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtK_Resp_3e61b158_F(LtK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 15) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_ :: { LtpK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0) } getLtpK_Resp_3e61b158_F(LtpK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == Seq(t1_V0, t2_V0, t3_V0) && getTag_3e61b158_F(LtpK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0)) == 16) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_ :: { PsK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0) } getPsK_Resp_3e61b158_F(PsK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0) && getTag_3e61b158_F(PsK_Resp_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0)) == 17) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { InFact_Resp_3e61b158_F(t1_V0, t2_V0) } getInFact_Resp_3e61b158_F(InFact_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(InFact_Resp_3e61b158_F(t1_V0, t2_V0)) == 18) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_, t9_V0: D$9084e2f5_1186dc0d_, t10_V0: D$9084e2f5_1186dc0d_, t11_V0: D$9084e2f5_1186dc0d_, t12_V0: D$9084e2f5_1186dc0d_ :: { St_Resp_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0) } getSt_Resp_1_3e61b158_F(St_Resp_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0) && getTag_3e61b158_F(St_Resp_1_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0, t9_V0, t10_V0, t11_V0, t12_V0)) == 19) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { FrFact_Resp_3e61b158_F(t1_V0, t2_V0) } getFrFact_Resp_3e61b158_F(FrFact_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(FrFact_Resp_3e61b158_F(t1_V0, t2_V0)) == 20) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { MAC_Resp_3e61b158_F(t1_V0, t2_V0) } getMAC_Resp_3e61b158_F(MAC_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(MAC_Resp_3e61b158_F(t1_V0, t2_V0)) == 21) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Resp_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Resp_2_3e61b158_F(St_Resp_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Resp_2_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 22) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { OutFact_Resp_3e61b158_F(t1_V0, t2_V0) } getOutFact_Resp_3e61b158_F(OutFact_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(OutFact_Resp_3e61b158_F(t1_V0, t2_V0)) == 23) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_, t8_V0: D$9084e2f5_1186dc0d_ :: { St_Resp_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) } getSt_Resp_3_3e61b158_F(St_Resp_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == Seq(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0) && getTag_3e61b158_F(St_Resp_3_3e61b158_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0, t8_V0)) == 24) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Counter_Resp_3e61b158_F(t1_V0, t2_V0) } getCounter_Resp_3e61b158_F(Counter_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Counter_Resp_3e61b158_F(t1_V0, t2_V0)) == 25) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { Message_Resp_3e61b158_F(t1_V0, t2_V0) } getMessage_Resp_3e61b158_F(Message_Resp_3e61b158_F(t1_V0, t2_V0)) == Seq(t1_V0, t2_V0) && getTag_3e61b158_F(Message_Resp_3e61b158_F(t1_V0, t2_V0)) == 26) + } + + axiom { + (forall f_V0: D$226445f2_3e61b158_ :: { persistent_3e61b158_F(f_V0) } persistent_3e61b158_F(f_V0) == (getTag_3e61b158_F(f_V0) == 1 || getTag_3e61b158_F(f_V0) == 2 || getTag_3e61b158_F(f_V0) == 3 || getTag_3e61b158_F(f_V0) == 15 || getTag_3e61b158_F(f_V0) == 16 || getTag_3e61b158_F(f_V0) == 17)) + } +} + +domain D$f32adf68_d2674021_ { + + function tuple2_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function tuple4_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function tuple5_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_, P4_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function tuple7_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_, P4_PI0: D$9084e2f5_1186dc0d_, P5_PI0: D$9084e2f5_1186dc0d_, P6_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function hash_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function hash__d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf1__d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf2__d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function kdf3_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function ok_d2674021_F(): D$9084e2f5_1186dc0d_ + + function aead_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function const1_d2674021_F(): D$9084e2f5_1186dc0d_ + + function exp_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function mult_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function msg_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function zeroString_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function integer64_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function integer32_d2674021_F(P0_PI0: Int): D$9084e2f5_1186dc0d_ + + function infoTerm_d2674021_F(): D$9084e2f5_1186dc0d_ + + function prologueTerm_d2674021_F(): D$9084e2f5_1186dc0d_ + + function generator_d2674021_F(): D$9084e2f5_1186dc0d_ + + function decrypt_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function verify_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_, P1_PI0: D$9084e2f5_1186dc0d_, P2_PI0: D$9084e2f5_1186dc0d_, P3_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function inv_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getFirst_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getSecond_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getThird_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getForth_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getFifth_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getSixth_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function getSeventh_d2674021_F(P0_PI0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + + function dfltD$f32adf68_d2674021_(): D$f32adf68_d2674021_ + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { tuple2_d2674021_F(x1_V0, x2_V0) } tuple2_d2674021_F(x1_V0, x2_V0) == pair_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { tuple4_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) } tuple4_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) == format4_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_ :: { tuple5_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0) } tuple5_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0) == pair_1186dc0d_F(x1_V0, pair_1186dc0d_F(x2_V0, pair_1186dc0d_F(x3_V0, pair_1186dc0d_F(x4_V0, x5_V0))))) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_ :: { tuple7_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) } (x1_V0 == pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()) ? tuple7_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) == format1_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) : true) && (x1_V0 == pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()) ? tuple7_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) == format2_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0) : true)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { hash_d2674021_F(x1_V0, x2_V0) } hash_d2674021_F(x1_V0, x2_V0) == h_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { hash__d2674021_F(x_V0) } hash__d2674021_F(x_V0) == h__1186dc0d_F(x_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { kdf1_d2674021_F(x1_V0, x2_V0) } kdf1_d2674021_F(x1_V0, x2_V0) == kdf1_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { kdf1__d2674021_F(x_V0) } kdf1__d2674021_F(x_V0) == kdf1__1186dc0d_F(x_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { kdf2_d2674021_F(x1_V0, x2_V0) } kdf2_d2674021_F(x1_V0, x2_V0) == kdf2_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { kdf2__d2674021_F(x_V0) } kdf2__d2674021_F(x_V0) == kdf2__1186dc0d_F(x_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { kdf3_d2674021_F(x1_V0, x2_V0) } kdf3_d2674021_F(x1_V0, x2_V0) == kdf3_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + ok_d2674021_F() == ok_1186dc0d_F() + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { aead_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) } aead_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) == aead_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) + } + + axiom { + const1_d2674021_F() == one_1186dc0d_F() + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { exp_d2674021_F(x1_V0, x2_V0) } exp_d2674021_F(x1_V0, x2_V0) == exp_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_ :: { mult_d2674021_F(x1_V0, x2_V0) } mult_d2674021_F(x1_V0, x2_V0) == Mult_1186dc0d_F(x1_V0, x2_V0)) + } + + axiom { + (forall s_V0: Int :: { msg_d2674021_F(s_V0) } msg_d2674021_F(s_V0) == freshTerm_1186dc0d_F(fr_msg_9e8b0260_F(s_V0))) + } + + axiom { + zeroString_d2674021_F(0) == pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()) + } + + axiom { + zeroString_d2674021_F(12) == pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()) + } + + axiom { + integer64_d2674021_F(0) == pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()) + } + + axiom { + integer32_d2674021_F(1) == pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()) + } + + axiom { + integer32_d2674021_F(2) == pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()) + } + + axiom { + integer32_d2674021_F(4) == pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()) + } + + axiom { + (forall i_V0: Int :: { integer32_d2674021_F(i_V0) } (!(i_V0 == 1) && !(i_V0 == 2) && !(i_V0 == 4) ? integer32_d2674021_F(i_V0) == freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(i_V0)) : true)) + } + + axiom { + infoTerm_d2674021_F() == pubTerm_1186dc0d_F(const_i_pub_db7e1422_F()) + } + + axiom { + prologueTerm_d2674021_F() == pubTerm_1186dc0d_F(const_p_pub_db7e1422_F()) + } + + axiom { + generator_d2674021_F() == pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_ :: { decrypt_d2674021_F(x1_V0, x2_V0, x3_V0) } { decrypt_1186dc0d_F(x1_V0, x2_V0, x3_V0) } decrypt_d2674021_F(x1_V0, x2_V0, x3_V0) == decrypt_1186dc0d_F(x1_V0, x2_V0, x3_V0)) + } + + axiom { + (forall x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_ :: { verify_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) } { verify_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0) } verify_d2674021_F(x1_V0, x2_V0, x3_V0, x4_V0) == verify_1186dc0d_F(x1_V0, x2_V0, x3_V0, x4_V0)) + } + + axiom { + (forall x_V0: D$9084e2f5_1186dc0d_ :: { inv_d2674021_F(x_V0) } inv_d2674021_F(x_V0) == inv_1186dc0d_F(x_V0)) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { tuple2_d2674021_F(t1_V0, t2_V0) } getFirst_d2674021_F(tuple2_d2674021_F(t1_V0, t2_V0)) == t1_V0 && getSecond_d2674021_F(tuple2_d2674021_F(t1_V0, t2_V0)) == t2_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_ :: { tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0) } getFirst_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t1_V0 && getSecond_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t2_V0 && getThird_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t3_V0 && getForth_d2674021_F(tuple4_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t4_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_ :: { tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getFirst_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t1_V0 && getSecond_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t2_V0 && getThird_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t3_V0 && getForth_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t4_V0 && getFifth_d2674021_F(tuple5_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t5_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_, t3_V0: D$9084e2f5_1186dc0d_, t4_V0: D$9084e2f5_1186dc0d_, t5_V0: D$9084e2f5_1186dc0d_, t6_V0: D$9084e2f5_1186dc0d_, t7_V0: D$9084e2f5_1186dc0d_ :: { tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getFirst_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t1_V0 && getSecond_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t2_V0 && getThird_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t3_V0 && getForth_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t4_V0 && getFifth_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t5_V0 && getSixth_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t6_V0 && getSeventh_d2674021_F(tuple7_d2674021_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t7_V0) + } +} + +domain D$8d64a7ad_b3aa12e7_ { + + function tuple2B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function tuple4B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function tuple5B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_, P4_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function tuple7B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_, P4_PI0: D$8d64a7ad_b3aa12e7_, P5_PI0: D$8d64a7ad_b3aa12e7_, P6_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function hashB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function hashB__b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf1B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf1B__b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf2B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf2B__b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function kdf3B_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function okB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function aeadB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function const1B_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function expB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function multB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function msgB_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function zeroStringB_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function integer64B_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function integer32B_b3aa12e7_F(P0_PI0: Int): D$8d64a7ad_b3aa12e7_ + + function infoBytesB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function prologueBytesB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function generatorB_b3aa12e7_F(): D$8d64a7ad_b3aa12e7_ + + function getFirstB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getSecondB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getThirdB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getForthB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getFifthB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getSixthB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function getSeventhB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function decryptB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function verifyB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_, P1_PI0: D$8d64a7ad_b3aa12e7_, P2_PI0: D$8d64a7ad_b3aa12e7_, P3_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function invB_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ + + function dfltD$8d64a7ad_b3aa12e7_(): D$8d64a7ad_b3aa12e7_ + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_ :: { tuple2B_b3aa12e7_F(t1_V0, t2_V0) } getFirstB_b3aa12e7_F(tuple2B_b3aa12e7_F(t1_V0, t2_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple2B_b3aa12e7_F(t1_V0, t2_V0)) == t2_V0) + } + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_, t3_V0: D$8d64a7ad_b3aa12e7_, t4_V0: D$8d64a7ad_b3aa12e7_ :: { tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0) } getFirstB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t2_V0 && getThirdB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t3_V0 && getForthB_b3aa12e7_F(tuple4B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0)) == t4_V0) + } + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_, t3_V0: D$8d64a7ad_b3aa12e7_, t4_V0: D$8d64a7ad_b3aa12e7_, t5_V0: D$8d64a7ad_b3aa12e7_ :: { tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0) } getFirstB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t2_V0 && getThirdB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t3_V0 && getForthB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t4_V0 && getFifthB_b3aa12e7_F(tuple5B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0)) == t5_V0) + } + + axiom { + (forall t1_V0: D$8d64a7ad_b3aa12e7_, t2_V0: D$8d64a7ad_b3aa12e7_, t3_V0: D$8d64a7ad_b3aa12e7_, t4_V0: D$8d64a7ad_b3aa12e7_, t5_V0: D$8d64a7ad_b3aa12e7_, t6_V0: D$8d64a7ad_b3aa12e7_, t7_V0: D$8d64a7ad_b3aa12e7_ :: { tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0) } getFirstB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t1_V0 && getSecondB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t2_V0 && getThirdB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t3_V0 && getForthB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t4_V0 && getFifthB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t5_V0 && getSixthB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t6_V0 && getSeventhB_b3aa12e7_F(tuple7B_b3aa12e7_F(t1_V0, t2_V0, t3_V0, t4_V0, t5_V0, t6_V0, t7_V0)) == t7_V0) + } + + axiom { + (forall key_V0: D$8d64a7ad_b3aa12e7_, nonce_V0: D$8d64a7ad_b3aa12e7_, plaintext_V0: D$8d64a7ad_b3aa12e7_, additionalData_V0: D$8d64a7ad_b3aa12e7_ :: { decryptB_b3aa12e7_F(key_V0, nonce_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) } decryptB_b3aa12e7_F(key_V0, nonce_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) == plaintext_V0) + } + + axiom { + (forall key_V0: D$8d64a7ad_b3aa12e7_, nonce_V0: D$8d64a7ad_b3aa12e7_, plaintext_V0: D$8d64a7ad_b3aa12e7_, additionalData_V0: D$8d64a7ad_b3aa12e7_ :: { verifyB_b3aa12e7_F(key_V0, nonce_V0, additionalData_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) } verifyB_b3aa12e7_F(key_V0, nonce_V0, additionalData_V0, aeadB_b3aa12e7_F(key_V0, nonce_V0, plaintext_V0, additionalData_V0)) == okB_b3aa12e7_F()) + } +} + +domain D$d743aa07_b3aa12e7_ { + + function gamma_b3aa12e7_F(P0_PI0: D$9084e2f5_1186dc0d_): D$8d64a7ad_b3aa12e7_ + + function oneTerm_b3aa12e7_F(P0_PI0: D$8d64a7ad_b3aa12e7_): D$9084e2f5_1186dc0d_ + + function dfltD$d743aa07_b3aa12e7_(): D$d743aa07_b3aa12e7_ + + axiom { + (forall b_V0: D$8d64a7ad_b3aa12e7_ :: { oneTerm_b3aa12e7_F(b_V0) } gamma_b3aa12e7_F(oneTerm_b3aa12e7_F(b_V0)) == b_V0) + } + + axiom { + (forall t1_V0: D$9084e2f5_1186dc0d_, t2_V0: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple2_d2674021_F(t1_V0, t2_V0)) } gamma_b3aa12e7_F(tuple2_d2674021_F(t1_V0, t2_V0)) == tuple2B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V0), gamma_b3aa12e7_F(t2_V0))) && (forall t1_V1: D$9084e2f5_1186dc0d_, t2_V1: D$9084e2f5_1186dc0d_, t3_V1: D$9084e2f5_1186dc0d_, t4_V1: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple4_d2674021_F(t1_V1, t2_V1, t3_V1, t4_V1)) } gamma_b3aa12e7_F(tuple4_d2674021_F(t1_V1, t2_V1, t3_V1, t4_V1)) == tuple4B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V1), gamma_b3aa12e7_F(t2_V1), gamma_b3aa12e7_F(t3_V1), gamma_b3aa12e7_F(t4_V1))) && (forall t1_V2: D$9084e2f5_1186dc0d_, t2_V2: D$9084e2f5_1186dc0d_, t3_V2: D$9084e2f5_1186dc0d_, t4_V2: D$9084e2f5_1186dc0d_, t5_V2: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple5_d2674021_F(t1_V2, t2_V2, t3_V2, t4_V2, t5_V2)) } gamma_b3aa12e7_F(tuple5_d2674021_F(t1_V2, t2_V2, t3_V2, t4_V2, t5_V2)) == tuple5B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V2), gamma_b3aa12e7_F(t2_V2), gamma_b3aa12e7_F(t3_V2), gamma_b3aa12e7_F(t4_V2), gamma_b3aa12e7_F(t5_V2))) && (forall t1_V3: D$9084e2f5_1186dc0d_, t2_V3: D$9084e2f5_1186dc0d_, t3_V3: D$9084e2f5_1186dc0d_, t4_V3: D$9084e2f5_1186dc0d_, t5_V3: D$9084e2f5_1186dc0d_, t6_V3: D$9084e2f5_1186dc0d_, t7_V3: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(tuple7_d2674021_F(t1_V3, t2_V3, t3_V3, t4_V3, t5_V3, t6_V3, t7_V3)) } gamma_b3aa12e7_F(tuple7_d2674021_F(t1_V3, t2_V3, t3_V3, t4_V3, t5_V3, t6_V3, t7_V3)) == tuple7B_b3aa12e7_F(gamma_b3aa12e7_F(t1_V3), gamma_b3aa12e7_F(t2_V3), gamma_b3aa12e7_F(t3_V3), gamma_b3aa12e7_F(t4_V3), gamma_b3aa12e7_F(t5_V3), gamma_b3aa12e7_F(t6_V3), gamma_b3aa12e7_F(t7_V3))) && (forall k_V4: D$9084e2f5_1186dc0d_, n_V4: D$9084e2f5_1186dc0d_, p_V4: D$9084e2f5_1186dc0d_, a_V4: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(aead_d2674021_F(k_V4, n_V4, p_V4, a_V4)) } gamma_b3aa12e7_F(aead_d2674021_F(k_V4, n_V4, p_V4, a_V4)) == aeadB_b3aa12e7_F(gamma_b3aa12e7_F(k_V4), gamma_b3aa12e7_F(n_V4), gamma_b3aa12e7_F(p_V4), gamma_b3aa12e7_F(a_V4))) && (forall b1_V5: D$9084e2f5_1186dc0d_, b2_V5: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(hash_d2674021_F(b1_V5, b2_V5)) } gamma_b3aa12e7_F(hash_d2674021_F(b1_V5, b2_V5)) == hashB_b3aa12e7_F(gamma_b3aa12e7_F(b1_V5), gamma_b3aa12e7_F(b2_V5))) && (forall b_V6: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(hash__d2674021_F(b_V6)) } gamma_b3aa12e7_F(hash__d2674021_F(b_V6)) == hashB__b3aa12e7_F(gamma_b3aa12e7_F(b_V6))) && (forall b1_V7: D$9084e2f5_1186dc0d_, b2_V7: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf1_d2674021_F(b1_V7, b2_V7)) } gamma_b3aa12e7_F(kdf1_d2674021_F(b1_V7, b2_V7)) == kdf1B_b3aa12e7_F(gamma_b3aa12e7_F(b1_V7), gamma_b3aa12e7_F(b2_V7))) && (forall b_V8: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf1__d2674021_F(b_V8)) } gamma_b3aa12e7_F(kdf1__d2674021_F(b_V8)) == kdf1B__b3aa12e7_F(gamma_b3aa12e7_F(b_V8))) && (forall b1_V9: D$9084e2f5_1186dc0d_, b2_V9: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf2_d2674021_F(b1_V9, b2_V9)) } gamma_b3aa12e7_F(kdf2_d2674021_F(b1_V9, b2_V9)) == kdf2B_b3aa12e7_F(gamma_b3aa12e7_F(b1_V9), gamma_b3aa12e7_F(b2_V9))) && (forall b_V10: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf2__d2674021_F(b_V10)) } gamma_b3aa12e7_F(kdf2__d2674021_F(b_V10)) == kdf2B__b3aa12e7_F(gamma_b3aa12e7_F(b_V10))) && (forall b1_V11: D$9084e2f5_1186dc0d_, b2_V11: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(kdf3_d2674021_F(b1_V11, b2_V11)) } gamma_b3aa12e7_F(kdf3_d2674021_F(b1_V11, b2_V11)) == kdf3B_b3aa12e7_F(gamma_b3aa12e7_F(b1_V11), gamma_b3aa12e7_F(b2_V11))) && gamma_b3aa12e7_F(ok_d2674021_F()) == okB_b3aa12e7_F() && (forall l_V12: Int :: { gamma_b3aa12e7_F(zeroString_d2674021_F(l_V12)) } gamma_b3aa12e7_F(zeroString_d2674021_F(l_V12)) == zeroStringB_b3aa12e7_F(l_V12)) && gamma_b3aa12e7_F(infoTerm_d2674021_F()) == infoBytesB_b3aa12e7_F() && gamma_b3aa12e7_F(prologueTerm_d2674021_F()) == prologueBytesB_b3aa12e7_F() && (forall i_V13: Int :: { gamma_b3aa12e7_F(integer64_d2674021_F(i_V13)) } gamma_b3aa12e7_F(integer64_d2674021_F(i_V13)) == integer64B_b3aa12e7_F(i_V13)) && (forall i_V14: Int :: { gamma_b3aa12e7_F(integer32_d2674021_F(i_V14)) } gamma_b3aa12e7_F(integer32_d2674021_F(i_V14)) == integer32B_b3aa12e7_F(i_V14)) && (forall s_V15: Int :: { gamma_b3aa12e7_F(msg_d2674021_F(s_V15)) } gamma_b3aa12e7_F(msg_d2674021_F(s_V15)) == msgB_b3aa12e7_F(s_V15)) && gamma_b3aa12e7_F(const1_d2674021_F()) == const1B_b3aa12e7_F() && gamma_b3aa12e7_F(generator_d2674021_F()) == generatorB_b3aa12e7_F() && (forall l_V16: D$9084e2f5_1186dc0d_, r_V16: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(exp_d2674021_F(l_V16, r_V16)) } gamma_b3aa12e7_F(exp_d2674021_F(l_V16, r_V16)) == expB_b3aa12e7_F(gamma_b3aa12e7_F(l_V16), gamma_b3aa12e7_F(r_V16))) && (forall l_V17: D$9084e2f5_1186dc0d_, r_V17: D$9084e2f5_1186dc0d_ :: { gamma_b3aa12e7_F(mult_d2674021_F(l_V17, r_V17)) } gamma_b3aa12e7_F(mult_d2674021_F(l_V17, r_V17)) == multB_b3aa12e7_F(gamma_b3aa12e7_F(l_V17), gamma_b3aa12e7_F(r_V17))) + } +} + +domain BoolWellFoundedOrder { + + axiom bool_ax_dec { + (decreasing(false, true): Bool) + } + + axiom bool_ax_bound { + (forall bool1: Bool :: { (bounded(bool1): Bool) } (bounded(bool1): Bool)) + } +} + +domain IntWellFoundedOrder { + + axiom integer_ax_dec { + (forall int1: Int, int2: Int :: { (decreasing(int1, int2): Bool) } int1 < int2 ==> (decreasing(int1, int2): Bool)) + } + + axiom integer_ax_bound { + (forall int1: Int :: { (bounded(int1): Bool) } int1 >= 0 ==> (bounded(int1): Bool)) + } +} + +domain MuliSetWellFoundedOrder[S] { + + axiom multiset_ax_dec { + (forall mSet1: Multiset[S], mSet2: Multiset[S] :: { (decreasing(mSet1, mSet2): Bool) } |mSet1| < |mSet2| ==> (decreasing(mSet1, mSet2): Bool)) + } + + axiom multiset_ax_bound { + (forall mSet1: Multiset[S] :: { (bounded(mSet1): Bool) } (bounded(mSet1): Bool)) + } +} + +domain PredicateInstancesWellFoundedOrder { + + axiom predicate_instances_ax_dec { + (forall l1: PredicateInstance, l2: PredicateInstance :: { nestedPredicates(l1, l2) } (decreasing(l1, l2): Bool) == nestedPredicates(l1, l2)) + } + + axiom predicate_instances_ax_bound { + (forall l1: PredicateInstance :: { (bounded(l1): Bool) } (bounded(l1): Bool)) + } +} + +domain RationalWellFoundedOrder { + + axiom rational_ax_dec { + (forall int1: Perm, int2: Perm :: { (decreasing(int1, int2): Bool) } int1 <= int2 - 1 / 1 ==> (decreasing(int1, int2): Bool)) + } + + axiom rational_ax_bound { + (forall int1: Perm :: { (bounded(int1): Bool) } int1 >= 0 / 1 ==> (bounded(int1): Bool)) + } +} + +domain RefWellFoundedOrder { + + axiom ref_ax_dec { + (forall ref1: Ref :: { (decreasing(null, ref1): Bool) } ref1 != null ==> (decreasing(null, ref1): Bool)) + } + + axiom ref_ax_bound { + (forall ref1: Ref :: { (bounded(ref1): Bool) } (bounded(ref1): Bool)) + } +} + +domain SeqWellFoundedOrder[S] { + + axiom seq_ax_dec { + (forall seq1: Seq[S], seq2: Seq[S] :: { (decreasing(seq1, seq2): Bool) } |seq1| < |seq2| ==> (decreasing(seq1, seq2): Bool)) + } + + axiom seq_ax_bound { + (forall seq1: Seq[S] :: { (bounded(seq1): Bool) } |seq1| >= 0 ==> (bounded(seq1): Bool)) + } +} + +domain SetWellFoundedOrder[S] { + + axiom set_ax_dec { + (forall set1: Set[S], set2: Set[S] :: { (decreasing(set1, set2): Bool) } |set1| < |set2| ==> (decreasing(set1, set2): Bool)) + } + + axiom set_ax_bound { + (forall set1: Set[S] :: { (bounded(set1): Bool) } (bounded(set1): Bool)) + } +} + +domain WellFoundedOrder[T] { + + function decreasing(arg1: T, arg2: T): Bool + + function bounded(arg1: T): Bool +} + +domain PredicateInstancesNestedRelation { + + function nestedPredicates(l1: PredicateInstance, l2: PredicateInstance): Bool + + axiom nestedTrans { + (forall l1: PredicateInstance, l2: PredicateInstance, l3: PredicateInstance :: { nestedPredicates(l1, l2),nestedPredicates(l2, l3) } nestedPredicates(l1, l2) && nestedPredicates(l2, l3) ==> nestedPredicates(l1, l3)) + } + + axiom nestedReflex { + (forall l1: PredicateInstance :: !nestedPredicates(l1, l1)) + } +} + +domain PredicateInstance { + + +} + +field val$_Int: Int + +field val$_Slice_Ref: Slice[Ref] + +function strSlice(s: Int, l: Int, h: Int): Int + requires 0 <= l + requires l <= h + requires h <= strLen(s) + ensures strLen(result) == h - l + + +// decreases _ +function sliceDefault_Intbyte$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_1_Intbyte$$$_S_$$$())) + + +function sconstruct_Ref(a: ShArray[Ref], offset: Int, len: Int, cap: Int): Slice[Ref] + requires 0 <= offset + requires 0 <= len + requires len <= cap + requires offset + cap <= (ShArraylen(a): Int) + ensures (sarray(result): ShArray[Ref]) == a + ensures (soffset(result): Int) == offset + ensures (slen(result): Int) == len + ensures (scap(result): Int) == cap + + +function arrayNil_1_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: { (ShArrayloc(result, idx): Ref) } (ShArrayloc(result, idx): Ref) == null) + + +function box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || x == arrayNil_1_Intbyte$$$_S_$$$() + ensures unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +function unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_1_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || result == arrayNil_1_Intbyte$$$_S_$$$() + ensures box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +// decreases _ +function shStructDefault_$devA_PointerIntint$$$_S_$$$$$$_S_$$$_endpointA_Intint$$$_S_$$$_inputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$_outputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$$(): ShStruct4[Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of4(result): Ref) == null && (ShStructget1of4(result): Ref) == null && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +// decreases _ +function shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct5[Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of5(result): Ref) == null && (ShStructget1of5(result): Ref) == null && (ShStructget2of5(result): Ref) == null && (ShStructget3of5(result): Ref) == null && (ShStructget4of5(result): Ref) == null + + +// decreases _ +function shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$(): ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + ensures true && (ShStructget0of4(result): ShStruct4[Ref, Ref, Ref, Ref]) == shStructDefault_$devA_PointerIntint$$$_S_$$$$$$_S_$$$_endpointA_Intint$$$_S_$$$_inputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$_outputA_ChannelSliceIntbyte$$$_S_$$$$$$$_E_$$$$$$_S_$$$$() && (ShStructget1of4(result): ShStruct5[Ref, Ref, Ref, Ref, Ref]) == shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$() && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +// decreases _ +function shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$(): ShStruct4[Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of4(result): Ref) == null && (ShStructget1of4(result): Ref) == null && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +// decreases _ +function shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct5[Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of5(result): Ref) == null && (ShStructget1of5(result): Ref) == null && (ShStructget2of5(result): Ref) == null && (ShStructget3of5(result): Ref) == null && (ShStructget4of5(result): Ref) == null + + +// decreases _ +function shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of7(result): Ref) == null && (ShStructget1of7(result): Ref) == null && (ShStructget2of7(result): Ref) == null && (ShStructget3of7(result): Ref) == null && (ShStructget4of7(result): Ref) == null && (ShStructget5of7(result): Ref) == null && (ShStructget6of7(result): Ref) == null + + +// decreases _ +function shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_EmptyA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of7(result): Ref) == null && (ShStructget1of7(result): Ref) == null && (ShStructget2of7(result): Ref) == null && (ShStructget3of7(result): Ref) == null && (ShStructget4of7(result): Ref) == null && (ShStructget5of7(result): Ref) == null && (ShStructget6of7(result): Ref) == null + + +// decreases _ +function shStructDefault_$TypeA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_NonceA_Intuint64$$$_S_$$$_PayloadA_DefinedByteString_c7a67a88_T$$$_S_$$$$(): ShStruct4[Ref, Ref, Ref, Ref] + ensures true && (ShStructget0of4(result): Ref) == null && (ShStructget1of4(result): Ref) == null && (ShStructget2of4(result): Ref) == null && (ShStructget3of4(result): Ref) == null + + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +function getNHash1_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getNKey1_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getEpkI1_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getSidI1_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem1_22e24f7d_F(hs_V0), wildcard) in integer32B_b3aa12e7_F((ShStructget3of5(hs_V0): Ref).val$_Int)) +} + +function getNHash2_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getNKey2_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getEpkI2_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getEkR2_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) in Abs_c7a67a88_F((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref)) +} + +function getSidI2_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) +{ + (unfolding acc(HandshakeMem2_22e24f7d_F(hs_V0), wildcard) in integer32B_b3aa12e7_F((ShStructget3of5(hs_V0): Ref).val$_Int)) +} + +function getSidR_22e24f7d_F(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) +{ + (unfolding acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in integer32B_b3aa12e7_F((ShStructget2of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int))) +} + +function getKR_22e24f7d_F(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) +{ + (unfolding acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in Abs_c7a67a88_F((ShStructget1of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref))) +} + +function getPkI_22e24f7d_F(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) +{ + (unfolding acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in Abs_c7a67a88_F((ShStructget4of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref))) +} + +function getPsk_22e24f7d_F(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) +{ + (unfolding acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in Abs_c7a67a88_F((ShStructget0of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref))) +} + +function getRid_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$9084e2f5_1186dc0d_ + requires acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) +{ + (unfolding acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) in (unfolding acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), wildcard) in integer32_d2674021_F((ShStructget2of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int))) +} + +function getPP_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]): D$9084e2f5_1186dc0d_ + requires acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) +{ + (unfolding acc(ResponderMem_22e24f7d_F(responder_V0), wildcard) in tuple4_d2674021_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F((ShStructget2of4(responder_V0): Ref).val$_Int)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F((ShStructget3of4(responder_V0): Ref).val$_Int)), prologueTerm_d2674021_F(), infoTerm_d2674021_F())) +} + +function persistentFacts_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_]): Multiset[D$226445f2_3e61b158_] + ensures (forall f_V1: D$226445f2_3e61b158_ :: { (f_V1 in result) } (f_V1 in result) == (persistent_3e61b158_F(f_V1) && ((f_V1 in l_V0)) > 0 ? 1 : 0)) + + +function linearFacts_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_]): Multiset[D$226445f2_3e61b158_] + ensures (forall f_V1: D$226445f2_3e61b158_ :: { (f_V1 in result) } (f_V1 in result) == (persistent_3e61b158_F(f_V1) ? 0 : (f_V1 in l_V0))) + + +function M_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_], s_V0: Multiset[D$226445f2_3e61b158_]): Bool + ensures result == ((linearFacts_3e61b158_F(l_V0) subset s_V0) && (persistentFacts_3e61b158_F(l_V0) subset s_V0)) +{ + (linearFacts_3e61b158_F(l_V0) subset s_V0) && (persistentFacts_3e61b158_F(l_V0) subset s_V0) +} + +function U_3e61b158_F(l_V0: Multiset[D$226445f2_3e61b158_], r_V0: Multiset[D$226445f2_3e61b158_], s_V0: Multiset[D$226445f2_3e61b158_]): Multiset[D$226445f2_3e61b158_] + ensures result == ((s_V0 setminus linearFacts_3e61b158_F(l_V0)) union r_V0) + + +function InternalResp1L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(Setup_Resp_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0), LtK_Resp_3e61b158_F(sidR_V0, b_V0, kR_V0), LtpK_Resp_3e61b158_F(sidR_V0, a_V0, pkI_V0), PsK_Resp_3e61b158_F(sidR_V0, a_V0, b_V0, psk_V0), InFact_Resp_3e61b158_F(sidR_V0, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, epkI_V0, aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)))), mac1I_V0, mac2I_V0))) +} + +function InternalResp1A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(InFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, epkI_V0, aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0)))), mac1I_V0, mac2I_V0))) +} + +function InternalResp1R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_1_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), exp_d2674021_F(pkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V0)), epkI_V0))))), sidI_V0)) +} + +function InternalResp2L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_1_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0), FrFact_Resp_3e61b158_F(sidR_V0, ekR_V0), MAC_Resp_3e61b158_F(sidR_V0, mac1R_V0), MAC_Resp_3e61b158_F(sidR_V0, mac2R_V0)) +} + +function InternalResp2A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0)))))), SendSIDR_2716b91c_F(sidR_V0), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0), aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalResp2R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_2_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0))), OutFact_Resp_3e61b158_F(sidR_V0, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0), aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V0)), exp_d2674021_F(epkI_V0, ekR_V0)), exp_d2674021_F(pkI_V0, ekR_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalResp3L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_2_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), InFact_Resp_3e61b158_F(sidR_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, n_V0, aead_d2674021_F(kIR_V0, n_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp3A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(ReceivedFirstResp_2716b91c_F(sidR_V0, sidI_V0, a_V0, b_V0, kIR_V0, kRI_V0, p_V0), Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kIR_V0, kRI_V0)))), Secret_2716b91c_F(a_V0, b_V0, pair_1186dc0d_F(kIR_V0, kRI_V0)), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, n_V0, aead_d2674021_F(kIR_V0, n_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp3R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0)) +} + +function InternalResp4L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), Counter_Resp_3e61b158_F(sidR_V0, nRI_V0), Message_Resp_3e61b158_F(sidR_V0, p_V0)) +} + +function InternalResp4A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SentRespLoop_2716b91c_F(sidR_V0, sidI_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDI_2716b91c_F(sidI_V0), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp4R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), OutFact_Resp_3e61b158_F(sidR_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp5L_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0), InFact_Resp_3e61b158_F(sidR_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp5A_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(ReceivedRespLoop_2716b91c_F(sidR_V0, sidI_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDI_2716b91c_F(sidI_V0), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalResp5R_d2674021_F(sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Resp_3_3e61b158_F(sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0)) +} + +function InternalInit1L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(Setup_Init_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0), LtK_Init_3e61b158_F(sidI_V0, a_V0, kI_V0), LtpK_Init_3e61b158_F(sidI_V0, b_V0, pkR_V0), PsK_Init_3e61b158_F(sidI_V0, a_V0, b_V0, psk_V0), FrFact_Init_3e61b158_F(sidI_V0, ekI_V0), Timestamp_Init_3e61b158_F(sidI_V0, timestamp_V0), MAC_Init_3e61b158_F(sidI_V0, mac1I_V0), MAC_Init_3e61b158_F(sidI_V0, mac2I_V0)) +} + +function InternalInit1A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SendSIDI_2716b91c_F(sidI_V0), OutFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))))), mac1I_V0, mac2I_V0))) +} + +function InternalInit1R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_1_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))))))), OutFact_Init_3e61b158_F(sidI_V0, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V0, exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), exp_d2674021_F(pkR_V0, kI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V0, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), aead_d2674021_F(kdf2_d2674021_F(kdf1_d2674021_F(h__1186dc0d_F(info_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0)), exp_d2674021_F(pkR_V0, ekI_V0)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V0), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V0), prologue_V0), pkR_V0), exp_d2674021_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V0))))), mac1I_V0, mac2I_V0))) +} + +function InternalInit2L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_1_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0), InFact_Init_3e61b158_F(sidI_V0, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, epkR_V0, aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, epkR_V0), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalInit2A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)))))), Secret_2716b91c_F(a_V0, b_V0, pair_1186dc0d_F(kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)))), InFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V0, sidI_V0, epkR_V0, aead_d2674021_F(kdf3_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V0, epkR_V0), kdf2_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0))), mac1R_V0, mac2R_V0))) +} + +function InternalInit2R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_2_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kdf1__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)), kdf2__d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(kdf1_d2674021_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)), exp_d2674021_F(epkR_V0, kI_V0)), psk_V0)))) +} + +function InternalInit3L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_2_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), Message_Init_3e61b158_F(sidI_V0, p_V0)) +} + +function InternalInit3A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SentFirstInit_2716b91c_F(sidI_V0, sidR_V0, a_V0, b_V0, kIR_V0, kRI_V0, p_V0), Running_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V0, pair_1186dc0d_F(b_V0, pair_1186dc0d_F(kIR_V0, kRI_V0)))), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_d2674021_F(kIR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit3R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), OutFact_Init_3e61b158_F(sidI_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_d2674021_F(kIR_V0, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit4L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), Counter_Init_3e61b158_F(sidI_V0, nIR_V0), Message_Init_3e61b158_F(sidI_V0, p_V0)) +} + +function InternalInit4A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(SentInitLoop_2716b91c_F(sidI_V0, sidR_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDR_2716b91c_F(sidR_V0), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit4R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), OutFact_Init_3e61b158_F(sidI_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V0, nIR_V0, aead_d2674021_F(kIR_V0, nIR_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit5L_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0), InFact_Init_3e61b158_F(sidI_V0, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit5A_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$46be403b_2716b91c_] +{ + Multiset(ReceivedInitLoop_2716b91c_F(sidI_V0, sidR_V0, a_V0, b_V0, kIR_V0, kRI_V0), AlreadyKnownSIDR_2716b91c_F(sidR_V0), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V0, nRI_V0, aead_d2674021_F(kRI_V0, nRI_V0, p_V0, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) +} + +function InternalInit5R_d2674021_F(sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_): Multiset[D$226445f2_3e61b158_] +{ + Multiset(St_Init_3_3e61b158_F(sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0)) +} + +function get_e_Handshake_St_Init_1_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, psk_V0, ekI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Handshake_St_Init_2_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0, sidR_V0, epkR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Send_First_Init_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Send_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Receive_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, x_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_OutFact_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, new_x_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V0), write) + + +function get_e_LtK_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtK_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtK_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtpK_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtpK_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_LtpK_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_r3_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_PsK_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_FrFact_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_FrFact_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Timestamp_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Timestamp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Timestamp_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Timestamp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_MAC_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_MAC_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_InFact_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_InFact_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Message_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Message_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Counter_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Counter_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Init_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Init_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Init_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Resp_r1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Resp_r2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ + requires acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Setup_Resp_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_): D$fe170ee1_c3672ae3_ + requires acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) + + +function get_e_Handshake_St_Resp_1_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, kR_V0, pkI_V0, psk_V0, sidI_V0, epkI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Handshake_St_Resp_2_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0, ekR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Receive_First_Resp_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, n_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Send_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function get_e_Receive_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]): D$fe170ee1_c3672ae3_ + requires acc(e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + + +function Size_c7a67a88_F(b_V0: Slice[Ref]): Int + requires acc(Mem_c7a67a88_F(b_V0), wildcard) + ensures result >= 0 && result == (slen(b_V0): Int) + + +function IsEqual_c7a67a88_F(b1_V0: Slice[Ref], b2_V0: Slice[Ref]): Bool + requires acc(Mem_c7a67a88_F(b1_V0), 1 / 200) && acc(Mem_c7a67a88_F(b2_V0), 1 / 200) + ensures result == (Abs_c7a67a88_F(b1_V0) == Abs_c7a67a88_F(b2_V0)) + + +function Abs_c7a67a88_F(b_V0: Slice[Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(Mem_c7a67a88_F(b_V0), wildcard) + ensures Size_c7a67a88_F(b_V0) == 0 ==> result == zeroStringB_b3aa12e7_F(0) + + +function SafeAbs_c7a67a88_F(b_V0: Slice[Ref], l_V0: Int): D$8d64a7ad_b3aa12e7_ + requires !(b_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(b_V0), wildcard) + ensures (!(b_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> result == Abs_c7a67a88_F(b_V0)) && (!!(b_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> result == zeroStringB_b3aa12e7_F(l_V0)) + + +function RequestMac1_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(RequestMem_c7a67a88_F(request_V0), wildcard) + ensures result == (unfolding acc(RequestMem_c7a67a88_F(request_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref, 16)) + + +function RequestMac2_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(RequestMem_c7a67a88_F(request_V0), wildcard) + ensures result == (unfolding acc(RequestMem_c7a67a88_F(request_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref, 16)) + + +function RequestAbs_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(RequestMem_c7a67a88_F(request_V0), wildcard) + ensures result == (unfolding acc(RequestMem_c7a67a88_F(request_V0), wildcard) in tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of7(request_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of7(request_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget2of7(request_V0): Ref).val$_Slice_Ref), Abs_c7a67a88_F((ShStructget3of7(request_V0): Ref).val$_Slice_Ref), Abs_c7a67a88_F((ShStructget4of7(request_V0): Ref).val$_Slice_Ref), SafeAbs_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref, 16), SafeAbs_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref, 16))) + + +function ResponseEpkR_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) + ensures result == (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in Abs_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref)) + + +function ResponseMac1_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) + ensures result == (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref, 16)) + + +function ResponseMac2_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) + ensures result == (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in SafeAbs_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref, 16)) + + +function ResponseAbs_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ResponseMem_c7a67a88_F(response_V0), wildcard) +{ + (unfolding acc(ResponseMem_c7a67a88_F(response_V0), wildcard) in tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of7(response_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of7(response_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget2of7(response_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref), Abs_c7a67a88_F((ShStructget4of7(response_V0): Ref).val$_Slice_Ref), SafeAbs_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref, 16), SafeAbs_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref, 16))) +} + +function ConnectionKIR_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in Abs_c7a67a88_F((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref)) + + +function ConnectionKRI_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in Abs_c7a67a88_F((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref)) + + +function ConnectionSidI_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in integer32B_b3aa12e7_F((ShStructget3of4(conn_V0): Ref).val$_Int)) + + +function ConnectionNonce_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): D$8d64a7ad_b3aa12e7_ + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in integer64B_b3aa12e7_F((ShStructget0of4(conn_V0): Ref).val$_Int)) + + +function ConnectionNonceVal_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]): Int + requires acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) + ensures result == (unfolding acc(ConnectionMem_c7a67a88_F(conn_V0), wildcard) in (ShStructget0of4(conn_V0): Ref).val$_Int) + + +function Bytes_pkR_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), kR_V0) +} + +function Bytes_epkR_68d987ee_F(ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), ekR_V0) +} + +function Bytes_c0_68d987ee_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB__b3aa12e7_F(infoBytesB_b3aa12e7_F()) +} + +function Bytes_h0_68d987ee_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_c0_68d987ee_F(), prologueBytesB_b3aa12e7_F()) +} + +function Bytes_h1_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h0_68d987ee_F(), Bytes_pkR_68d987ee_F(kR_V0)) +} + +function Bytes_c1_68d987ee_F(epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c0_68d987ee_F(), epkI_V0) +} + +function Bytes_h2_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h1_68d987ee_F(kR_V0), epkI_V0) +} + +function Bytes_c2_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c1_68d987ee_F(epkI_V0), expB_b3aa12e7_F(epkI_V0, kR_V0)) +} + +function Bytes_k1_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c1_68d987ee_F(epkI_V0), expB_b3aa12e7_F(epkI_V0, kR_V0)) +} + +function Bytes_c_pkI_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k1_68d987ee_F(kR_V0, epkI_V0), zeroStringB_b3aa12e7_F(12), pkI_V0, Bytes_h2_68d987ee_F(kR_V0, epkI_V0)) +} + +function Bytes_h3_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h2_68d987ee_F(kR_V0, epkI_V0), Bytes_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Bytes_c3_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c2_68d987ee_F(kR_V0, epkI_V0), expB_b3aa12e7_F(pkI_V0, kR_V0)) +} + +function Bytes_k2_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c2_68d987ee_F(kR_V0, epkI_V0), expB_b3aa12e7_F(pkI_V0, kR_V0)) +} + +function Bytes_c_ts_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k2_68d987ee_F(kR_V0, pkI_V0, epkI_V0), zeroStringB_b3aa12e7_F(12), ts_V0, Bytes_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Bytes_h4_68d987ee_F(kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Bytes_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0)) +} + +function Bytes_M1_68d987ee_F(sidI_V0: D$8d64a7ad_b3aa12e7_, kR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(1), sidI_V0, epkI_V0, Bytes_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Bytes_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Bytes_c4_68d987ee_F(c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(c3_V0, Bytes_epkR_68d987ee_F(ekR_V0)) +} + +function Bytes_h5_68d987ee_F(h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(h4_V0, Bytes_epkR_68d987ee_F(ekR_V0)) +} + +function Bytes_c5_68d987ee_F(epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c4_68d987ee_F(c3_V0, ekR_V0), expB_b3aa12e7_F(epkI_V0, ekR_V0)) +} + +function Bytes_c6_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c5_68d987ee_F(epkI_V0, c3_V0, ekR_V0), expB_b3aa12e7_F(pkI_V0, ekR_V0)) +} + +function Bytes_c7_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Bytes_pi_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Bytes_k3_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf3B_b3aa12e7_F(Bytes_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Bytes_h6_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h5_68d987ee_F(h4_V0, ekR_V0), Bytes_pi_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Bytes_c_empty_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k3_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0), zeroStringB_b3aa12e7_F(12), zeroStringB_b3aa12e7_F(0), Bytes_h6_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0)) +} + +function Bytes_M2_68d987ee_F(sidI_V0: D$8d64a7ad_b3aa12e7_, sidR_V0: D$8d64a7ad_b3aa12e7_, pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(2), sidR_V0, sidI_V0, Bytes_epkR_68d987ee_F(ekR_V0), Bytes_c_empty_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0), mac1_V0, mac2_V0) +} + +function Bytes_k_IR_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B__b3aa12e7_F(Bytes_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Bytes_k_RI_68d987ee_F(pkI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, epkI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, ekR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B__b3aa12e7_F(Bytes_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Term_pkR_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), kR_V0) +} + +function Term_epkR_68d987ee_F(ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), ekR_V0) +} + +function Term_c0_68d987ee_F(): D$9084e2f5_1186dc0d_ +{ + hash__d2674021_F(infoTerm_d2674021_F()) +} + +function Term_h0_68d987ee_F(): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_c0_68d987ee_F(), prologueTerm_d2674021_F()) +} + +function Term_h1_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h0_68d987ee_F(), Term_pkR_68d987ee_F(kR_V0)) +} + +function Term_c1_68d987ee_F(epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c0_68d987ee_F(), epkI_V0) +} + +function Term_h2_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h1_68d987ee_F(kR_V0), epkI_V0) +} + +function Term_c2_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c1_68d987ee_F(epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)) +} + +function Term_c2_lin_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c1_68d987ee_F(epkI1_V0), exp_d2674021_F(epkI2_V0, kR_V0)) +} + +function Term_k1_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c1_68d987ee_F(epkI_V0), exp_d2674021_F(epkI_V0, kR_V0)) +} + +function Term_k1_lin_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c1_68d987ee_F(epkI1_V0), exp_d2674021_F(epkI2_V0, kR_V0)) +} + +function Term_c_pkI_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k1_68d987ee_F(kR_V0, epkI_V0), zeroString_d2674021_F(12), pkI_V0, Term_h2_68d987ee_F(kR_V0, epkI_V0)) +} + +function Term_c_pkI_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k1_lin_68d987ee_F(kR1_V0, epkI1_V0, epkI2_V0), zeroString_d2674021_F(12), pkI_V0, Term_h2_68d987ee_F(kR2_V0, epkI3_V0)) +} + +function Term_h3_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h2_68d987ee_F(kR_V0, epkI_V0), Term_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Term_h3_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, kR3_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_, epkI4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h2_68d987ee_F(kR1_V0, epkI1_V0), Term_c_pkI_lin_68d987ee_F(kR2_V0, kR3_V0, pkI_V0, epkI2_V0, epkI3_V0, epkI4_V0)) +} + +function Term_c3_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c2_68d987ee_F(kR_V0, epkI_V0), exp_d2674021_F(pkI_V0, kR_V0)) +} + +function Term_k2_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c2_68d987ee_F(kR_V0, epkI_V0), exp_d2674021_F(pkI_V0, kR_V0)) +} + +function Term_k2_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c2_lin_68d987ee_F(kR1_V0, epkI1_V0, epkI2_V0), exp_d2674021_F(pkI_V0, kR2_V0)) +} + +function Term_c_ts_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k2_68d987ee_F(kR_V0, pkI_V0, epkI_V0), zeroString_d2674021_F(12), ts_V0, Term_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0)) +} + +function Term_c_ts_lin_68d987ee_F(kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, kR3_V0: D$9084e2f5_1186dc0d_, kR4_V0: D$9084e2f5_1186dc0d_, kR5_V0: D$9084e2f5_1186dc0d_, pkI1_V0: D$9084e2f5_1186dc0d_, pkI2_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_, epkI4_V0: D$9084e2f5_1186dc0d_, epkI5_V0: D$9084e2f5_1186dc0d_, epkI6_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k2_lin_68d987ee_F(kR1_V0, kR2_V0, pkI1_V0, epkI1_V0, epkI2_V0), zeroString_d2674021_F(12), ts_V0, Term_h3_lin_68d987ee_F(kR3_V0, kR4_V0, kR5_V0, pkI2_V0, epkI3_V0, epkI4_V0, epkI5_V0, epkI6_V0)) +} + +function Term_h4_68d987ee_F(kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h3_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Term_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0)) +} + +function Term_M1_68d987ee_F(sidI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(1), sidI_V0, epkI_V0, Term_c_pkI_68d987ee_F(kR_V0, pkI_V0, epkI_V0), Term_c_ts_68d987ee_F(kR_V0, pkI_V0, epkI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Term_M1_lin_68d987ee_F(sidI_V0: D$9084e2f5_1186dc0d_, kR1_V0: D$9084e2f5_1186dc0d_, kR2_V0: D$9084e2f5_1186dc0d_, kR3_V0: D$9084e2f5_1186dc0d_, kR4_V0: D$9084e2f5_1186dc0d_, kR5_V0: D$9084e2f5_1186dc0d_, kR6_V0: D$9084e2f5_1186dc0d_, kR7_V0: D$9084e2f5_1186dc0d_, pkI1_V0: D$9084e2f5_1186dc0d_, pkI2_V0: D$9084e2f5_1186dc0d_, pkI3_V0: D$9084e2f5_1186dc0d_, epkI1_V0: D$9084e2f5_1186dc0d_, epkI2_V0: D$9084e2f5_1186dc0d_, epkI3_V0: D$9084e2f5_1186dc0d_, epkI4_V0: D$9084e2f5_1186dc0d_, epkI5_V0: D$9084e2f5_1186dc0d_, epkI6_V0: D$9084e2f5_1186dc0d_, epkI7_V0: D$9084e2f5_1186dc0d_, epkI8_V0: D$9084e2f5_1186dc0d_, epkI9_V0: D$9084e2f5_1186dc0d_, epkI10_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(1), sidI_V0, epkI1_V0, Term_c_pkI_lin_68d987ee_F(kR1_V0, kR2_V0, pkI1_V0, epkI2_V0, epkI3_V0, epkI4_V0), Term_c_ts_lin_68d987ee_F(kR3_V0, kR4_V0, kR5_V0, kR6_V0, kR7_V0, pkI2_V0, pkI3_V0, epkI5_V0, epkI6_V0, epkI7_V0, epkI8_V0, epkI9_V0, epkI10_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Term_c4_68d987ee_F(c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(c3_V0, Term_epkR_68d987ee_F(ekR_V0)) +} + +function Term_h5_68d987ee_F(h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(h4_V0, Term_epkR_68d987ee_F(ekR_V0)) +} + +function Term_c5_68d987ee_F(epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c4_68d987ee_F(c3_V0, ekR_V0), exp_d2674021_F(epkI_V0, ekR_V0)) +} + +function Term_c6_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c5_68d987ee_F(epkI_V0, c3_V0, ekR_V0), exp_d2674021_F(pkI_V0, ekR_V0)) +} + +function Term_c7_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Term_pi_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Term_k3_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf3_d2674021_F(Term_c6_68d987ee_F(pkI_V0, epkI_V0, c3_V0, ekR_V0), psk_V0) +} + +function Term_h6_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h5_68d987ee_F(h4_V0, ekR_V0), Term_pi_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Term_c_empty_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k3_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0), zeroString_d2674021_F(12), zeroString_d2674021_F(0), Term_h6_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0)) +} + +function Term_M2_68d987ee_F(sidI_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(2), sidR_V0, sidI_V0, Term_epkR_68d987ee_F(ekR_V0), Term_c_empty_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, h4_V0, ekR_V0), mac1_V0, mac2_V0) +} + +function Term_k_IR_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1__d2674021_F(Term_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Term_k_RI_68d987ee_F(pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2__d2674021_F(Term_c7_68d987ee_F(pkI_V0, psk_V0, epkI_V0, c3_V0, ekR_V0)) +} + +function Bytes_pkI_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), kI_V0) +} + +function Bytes_epkI_35781e6d_F(ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + expB_b3aa12e7_F(generatorB_b3aa12e7_F(), ekI_V0) +} + +function Bytes_c0_35781e6d_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB__b3aa12e7_F(infoBytesB_b3aa12e7_F()) +} + +function Bytes_h0_35781e6d_F(): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_c0_35781e6d_F(), prologueBytesB_b3aa12e7_F()) +} + +function Bytes_h1_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h0_35781e6d_F(), pkR_V0) +} + +function Bytes_c1_35781e6d_F(ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c0_35781e6d_F(), Bytes_epkI_35781e6d_F(ekI_V0)) +} + +function Bytes_h2_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h1_35781e6d_F(pkR_V0), Bytes_epkI_35781e6d_F(ekI_V0)) +} + +function Bytes_c2_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c1_35781e6d_F(ekI_V0), expB_b3aa12e7_F(pkR_V0, ekI_V0)) +} + +function Bytes_k1_35781e6d_F(pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c1_35781e6d_F(ekI_V0), expB_b3aa12e7_F(pkR_V0, ekI_V0)) +} + +function Bytes_c_pkI_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k1_35781e6d_F(pkR_V0, ekI_V0), zeroStringB_b3aa12e7_F(12), Bytes_pkI_35781e6d_F(kI_V0), Bytes_h2_35781e6d_F(pkR_V0, ekI_V0)) +} + +function Bytes_h3_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h2_35781e6d_F(pkR_V0, ekI_V0), Bytes_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Bytes_c3_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c2_35781e6d_F(pkR_V0, ekI_V0), expB_b3aa12e7_F(pkR_V0, kI_V0)) +} + +function Bytes_k2_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c2_35781e6d_F(pkR_V0, ekI_V0), expB_b3aa12e7_F(pkR_V0, kI_V0)) +} + +function Bytes_c_ts_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k2_35781e6d_F(kI_V0, pkR_V0, ekI_V0), zeroStringB_b3aa12e7_F(12), ts_V0, Bytes_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Bytes_h4_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Bytes_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0)) +} + +function Bytes_M1_35781e6d_F(sidI_V0: D$8d64a7ad_b3aa12e7_, kI_V0: D$8d64a7ad_b3aa12e7_, pkR_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, ts_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(1), sidI_V0, Bytes_epkI_35781e6d_F(ekI_V0), Bytes_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Bytes_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Bytes_c4_35781e6d_F(c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(c3_V0, epkR_V0) +} + +function Bytes_h5_35781e6d_F(h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(h4_V0, epkR_V0) +} + +function Bytes_c5_35781e6d_F(ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c4_35781e6d_F(c3_V0, epkR_V0), expB_b3aa12e7_F(epkR_V0, ekI_V0)) +} + +function Bytes_c6_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c5_35781e6d_F(ekI_V0, c3_V0, epkR_V0), expB_b3aa12e7_F(epkR_V0, kI_V0)) +} + +function Bytes_c7_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B_b3aa12e7_F(Bytes_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Bytes_pi_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B_b3aa12e7_F(Bytes_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Bytes_k3_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf3B_b3aa12e7_F(Bytes_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Bytes_h6_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + hashB_b3aa12e7_F(Bytes_h5_35781e6d_F(h4_V0, epkR_V0), Bytes_pi_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Bytes_c_empty_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + aeadB_b3aa12e7_F(Bytes_k3_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0), zeroStringB_b3aa12e7_F(12), zeroStringB_b3aa12e7_F(0), Bytes_h6_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0)) +} + +function Bytes_M2_35781e6d_F(sidI_V0: D$8d64a7ad_b3aa12e7_, sidR_V0: D$8d64a7ad_b3aa12e7_, kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, h4_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_, mac1_V0: D$8d64a7ad_b3aa12e7_, mac2_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + tuple7B_b3aa12e7_F(integer32B_b3aa12e7_F(2), sidR_V0, sidI_V0, epkR_V0, Bytes_c_empty_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0), mac1_V0, mac2_V0) +} + +function Bytes_k_IR_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf1B__b3aa12e7_F(Bytes_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Bytes_k_RI_35781e6d_F(kI_V0: D$8d64a7ad_b3aa12e7_, psk_V0: D$8d64a7ad_b3aa12e7_, ekI_V0: D$8d64a7ad_b3aa12e7_, c3_V0: D$8d64a7ad_b3aa12e7_, epkR_V0: D$8d64a7ad_b3aa12e7_): D$8d64a7ad_b3aa12e7_ +{ + kdf2B__b3aa12e7_F(Bytes_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Term_pkI_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), kI_V0) +} + +function Term_epkI_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + exp_d2674021_F(generator_d2674021_F(), ekI_V0) +} + +function Term_c0_35781e6d_F(): D$9084e2f5_1186dc0d_ +{ + hash__d2674021_F(infoTerm_d2674021_F()) +} + +function Term_h0_35781e6d_F(): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_c0_35781e6d_F(), prologueTerm_d2674021_F()) +} + +function Term_h1_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h0_35781e6d_F(), pkR_V0) +} + +function Term_c1_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c0_35781e6d_F(), Term_epkI_35781e6d_F(ekI_V0)) +} + +function Term_h2_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h1_35781e6d_F(pkR_V0), Term_epkI_35781e6d_F(ekI_V0)) +} + +function Term_c2_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c1_35781e6d_F(ekI_V0), exp_d2674021_F(pkR_V0, ekI_V0)) +} + +function Term_k1_35781e6d_F(pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c1_35781e6d_F(ekI_V0), exp_d2674021_F(pkR_V0, ekI_V0)) +} + +function Term_c_pkI_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k1_35781e6d_F(pkR_V0, ekI_V0), zeroString_d2674021_F(12), Term_pkI_35781e6d_F(kI_V0), Term_h2_35781e6d_F(pkR_V0, ekI_V0)) +} + +function Term_h3_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h2_35781e6d_F(pkR_V0, ekI_V0), Term_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Term_c3_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c2_35781e6d_F(pkR_V0, ekI_V0), exp_d2674021_F(pkR_V0, kI_V0)) +} + +function Term_k2_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c2_35781e6d_F(pkR_V0, ekI_V0), exp_d2674021_F(pkR_V0, kI_V0)) +} + +function Term_c_ts_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k2_35781e6d_F(kI_V0, pkR_V0, ekI_V0), zeroString_d2674021_F(12), ts_V0, Term_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0)) +} + +function Term_h4_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h3_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Term_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0)) +} + +function Term_M1_35781e6d_F(sidI_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(1), sidI_V0, Term_epkI_35781e6d_F(ekI_V0), Term_c_pkI_35781e6d_F(kI_V0, pkR_V0, ekI_V0), Term_c_ts_35781e6d_F(kI_V0, pkR_V0, ekI_V0, ts_V0), mac1_V0, mac2_V0) +} + +function Term_c4_35781e6d_F(c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(c3_V0, epkR_V0) +} + +function Term_h5_35781e6d_F(h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(h4_V0, epkR_V0) +} + +function Term_c5_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c4_35781e6d_F(c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, ekI_V0)) +} + +function Term_c5_lin_35781e6d_F(ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c4_35781e6d_F(c3_V0, epkR1_V0), exp_d2674021_F(epkR2_V0, ekI_V0)) +} + +function Term_c6_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c5_35781e6d_F(ekI_V0, c3_V0, epkR_V0), exp_d2674021_F(epkR_V0, kI_V0)) +} + +function Term_c6_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c5_lin_35781e6d_F(ekI_V0, c3_V0, epkR1_V0, epkR2_V0), exp_d2674021_F(epkR3_V0, kI_V0)) +} + +function Term_c7_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1_d2674021_F(Term_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Term_pi_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Term_pi_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2_d2674021_F(Term_c6_lin_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR1_V0, epkR2_V0, epkR3_V0), psk_V0) +} + +function Term_k3_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf3_d2674021_F(Term_c6_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR_V0), psk_V0) +} + +function Term_k3_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf3_d2674021_F(Term_c6_lin_35781e6d_F(kI_V0, ekI_V0, c3_V0, epkR1_V0, epkR2_V0, epkR3_V0), psk_V0) +} + +function Term_h6_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h5_35781e6d_F(h4_V0, epkR_V0), Term_pi_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Term_h6_lin_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_, epkR4_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + hash_d2674021_F(Term_h5_35781e6d_F(h4_V0, epkR1_V0), Term_pi_lin_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR2_V0, epkR3_V0, epkR4_V0)) +} + +function Term_c_empty_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k3_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0), zeroString_d2674021_F(12), zeroString_d2674021_F(0), Term_h6_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0)) +} + +function Term_c_empty_lin_35781e6d_F(kI1_V0: D$9084e2f5_1186dc0d_, kI2_V0: D$9084e2f5_1186dc0d_, psk1_V0: D$9084e2f5_1186dc0d_, psk2_V0: D$9084e2f5_1186dc0d_, ekI1_V0: D$9084e2f5_1186dc0d_, ekI2_V0: D$9084e2f5_1186dc0d_, c31_V0: D$9084e2f5_1186dc0d_, c32_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_, epkR4_V0: D$9084e2f5_1186dc0d_, epkR5_V0: D$9084e2f5_1186dc0d_, epkR6_V0: D$9084e2f5_1186dc0d_, epkR7_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + aead_d2674021_F(Term_k3_lin_35781e6d_F(kI1_V0, psk1_V0, ekI1_V0, c31_V0, epkR1_V0, epkR2_V0, epkR3_V0), zeroString_d2674021_F(12), zeroString_d2674021_F(0), Term_h6_lin_35781e6d_F(kI2_V0, psk2_V0, ekI2_V0, c32_V0, h4_V0, epkR4_V0, epkR5_V0, epkR6_V0, epkR7_V0)) +} + +function Term_M2_35781e6d_F(sidI_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(2), sidR_V0, sidI_V0, epkR_V0, Term_c_empty_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0), mac1_V0, mac2_V0) +} + +function Term_M2_lin_35781e6d_F(sidI_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kI1_V0: D$9084e2f5_1186dc0d_, kI2_V0: D$9084e2f5_1186dc0d_, psk1_V0: D$9084e2f5_1186dc0d_, psk2_V0: D$9084e2f5_1186dc0d_, ekI1_V0: D$9084e2f5_1186dc0d_, ekI2_V0: D$9084e2f5_1186dc0d_, c31_V0: D$9084e2f5_1186dc0d_, c32_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, epkR1_V0: D$9084e2f5_1186dc0d_, epkR2_V0: D$9084e2f5_1186dc0d_, epkR3_V0: D$9084e2f5_1186dc0d_, epkR4_V0: D$9084e2f5_1186dc0d_, epkR5_V0: D$9084e2f5_1186dc0d_, epkR6_V0: D$9084e2f5_1186dc0d_, epkR7_V0: D$9084e2f5_1186dc0d_, epkR8_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + tuple7_d2674021_F(integer32_d2674021_F(2), sidR_V0, sidI_V0, epkR1_V0, Term_c_empty_lin_35781e6d_F(kI1_V0, kI2_V0, psk1_V0, psk2_V0, ekI1_V0, ekI2_V0, c31_V0, c32_V0, h4_V0, epkR2_V0, epkR3_V0, epkR4_V0, epkR5_V0, epkR6_V0, epkR7_V0, epkR8_V0), mac1_V0, mac2_V0) +} + +function Term_k_IR_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf1__d2674021_F(Term_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +function Term_k_RI_35781e6d_F(kI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_): D$9084e2f5_1186dc0d_ +{ + kdf2__d2674021_F(Term_c7_35781e6d_F(kI_V0, psk_V0, ekI_V0, c3_V0, epkR_V0)) +} + +predicate HandshakeMem1_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(hs_V0): Ref).val$_Int, write) && acc((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref) == 32) +} + +predicate HandshakeMem2_22e24f7d_F(hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(hs_V0): Ref).val$_Int, write) && acc((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref) == 32) +} + +predicate ResponderMem_22e24f7d_F(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref]) { + true && (acc(LibMem_c7a67a88_F((ShStructget0of4(responder_V0): ShStruct4[Ref, Ref, Ref, Ref])), write) && acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), write) && acc((ShStructget2of4(responder_V0): Ref).val$_Int, write) && acc((ShStructget3of4(responder_V0): Ref).val$_Int, write)) +} + +predicate token_c3672ae3_F(t_V0: D$fe170ee1_c3672ae3_) + +predicate ErrorMem_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +predicate e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Send_First_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_OutFact_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, new_x_V0: D$9084e2f5_1186dc0d_) + +predicate P_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(phiR_Resp_0_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_1_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_2_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_3_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Resp_4_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRG_Resp_5_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_6_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_7_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_8_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_9_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_10_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_11_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_12_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_13_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Resp_14_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write)) +} + +predicate phiR_Resp_0_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Resp_3e61b158_F(sidR_V1, b_V1, kR_V1), LtpK_Resp_3e61b158_F(sidR_V1, a_V1, pkI_V1), PsK_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, psk_V1), InFact_Resp_3e61b158_F(sidR_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_ap_V1 == Multiset(InFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))))), sidI_V1)) ==> acc(e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Resp_3e61b158_F(sidR_V1, b_V1, kR_V1), LtpK_Resp_3e61b158_F(sidR_V1, a_V1, pkI_V1), PsK_Resp_3e61b158_F(sidR_V1, a_V1, b_V1, psk_V1), InFact_Resp_3e61b158_F(sidR_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_ap_V1 == Multiset(InFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, epkI_V1, aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1)))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), exp_1186dc0d_F(pkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), epkI_V1), exp_1186dc0d_F(epkI_V1, kR_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pkI_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kR_V1)), epkI_V1))))), sidI_V1)) ==> acc(P_Resp_c0f0ff6b_F(get_e_Handshake_St_Resp_1_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, kR_V1, pkI_V1, psk_V1, sidI_V1, epkI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, ekR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1), FrFact_Resp_3e61b158_F(sidR_V1, ekR_V1), MAC_Resp_3e61b158_F(sidR_V1, mac1R_V1), MAC_Resp_3e61b158_F(sidR_V1, mac2R_V1)) && tami_ap_V1 == Multiset(Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)))))), SendSIDR_2716b91c_F(sidR_V1), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), OutFact_Resp_3e61b158_F(sidR_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) ==> acc(e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, pkI_V1: D$9084e2f5_1186dc0d_, kR_V1: D$9084e2f5_1186dc0d_, epkI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, ekR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_1_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1), FrFact_Resp_3e61b158_F(sidR_V1, ekR_V1), MAC_Resp_3e61b158_F(sidR_V1, mac1R_V1), MAC_Resp_3e61b158_F(sidR_V1, mac2R_V1)) && tami_ap_V1 == Multiset(Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)))))), SendSIDR_2716b91c_F(sidR_V1), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), OutFact_Resp_3e61b158_F(sidR_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekR_V1)), exp_1186dc0d_F(epkI_V1, ekR_V1)), exp_1186dc0d_F(pkI_V1, ekR_V1)), psk_V1))), mac1R_V1, mac2R_V1))) ==> acc(P_Resp_c0f0ff6b_F(get_e_Handshake_St_Resp_2_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, pkI_V1, kR_V1, epkI_V1, psk_V1, c3_V1, h4_V1, sidI_V1, ekR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, n_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedFirstResp_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, n_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_2_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedFirstResp_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, n_V1, aead_1186dc0d_F(kIR_V1, n_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(P_Resp_c0f0ff6b_F(get_e_Receive_First_Resp_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, n_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_3_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), Counter_Resp_3e61b158_F(sidR_V1, nRI_V1), Message_Resp_3e61b158_F(sidR_V1, p_V1)) && tami_ap_V1 == Multiset(SentRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), OutFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), Counter_Resp_3e61b158_F(sidR_V1, nRI_V1), Message_Resp_3e61b158_F(sidR_V1, p_V1)) && tami_ap_V1 == Multiset(SentRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), OutFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidI_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(P_Resp_c0f0ff6b_F(get_e_Send_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Resp_4_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidR_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidI_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1), InFact_Resp_3e61b158_F(sidR_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedRespLoop_2716b91c_F(sidR_V1, sidI_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDI_2716b91c_F(sidI_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Resp_3_3e61b158_F(sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1)) ==> acc(P_Resp_c0f0ff6b_F(get_e_Receive_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V1, a_V1, b_V1, prologue_V1, info_V1, sidI_V1, kIR_V1, kRI_V1, x_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiRG_Resp_5_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), write)) && (forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(P_Resp_c0f0ff6b_F(get_e_OutFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), tami_rid_V0, (tami_s_V0 setminus Multiset(OutFact_Resp_3e61b158_F(tami_rid_V0, new_x_V1)))), write))) +} + +predicate phiRF_Resp_6_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_LtK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtK_Resp_3e61b158_F(tami_rid_V0, get_e_LtK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_7_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_LtpK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtpK_Resp_3e61b158_F(tami_rid_V0, get_e_LtpK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtpK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_8_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_PsK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(PsK_Resp_3e61b158_F(tami_rid_V0, get_e_PsK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r3_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_9_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_InFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(InFact_Resp_3e61b158_F(tami_rid_V0, get_e_InFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_10_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_FrFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(FrFact_Resp_3e61b158_F(tami_rid_V0, get_e_FrFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_11_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_MAC_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(MAC_Resp_3e61b158_F(tami_rid_V0, get_e_MAC_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_12_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_Counter_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Counter_Resp_3e61b158_F(tami_rid_V0, get_e_Counter_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_13_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_Message_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Message_Resp_3e61b158_F(tami_rid_V0, get_e_Message_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Resp_14_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Setup_Resp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Resp_c0f0ff6b_F(get_e_Setup_Resp_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Setup_Resp_3e61b158_F(tami_rid_V0, get_e_Setup_Resp_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_Setup_Resp_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), pubTerm_1186dc0d_F(const_p_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_i_pub_db7e1422_F()))))), write)) +} + +predicate e_LtK_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_LtpK_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_PsK_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_FrFact_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Timestamp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_MAC_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_InFact_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Message_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Counter_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Setup_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Setup_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_) + +predicate e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) + +predicate P_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(phiR_Init_0_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_1_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_2_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_3_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiR_Init_4_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRG_Init_5_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_6_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_7_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_8_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_9_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_10_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_11_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_12_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_13_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_14_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write) && acc(phiRF_Init_15_c0f0ff6b_F(tami_p_V0, tami_rid_V0, tami_s_V0), write)) +} + +predicate phiR_Init_0_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Init_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Init_3e61b158_F(sidI_V1, a_V1, kI_V1), LtpK_Init_3e61b158_F(sidI_V1, b_V1, pkR_V1), PsK_Init_3e61b158_F(sidI_V1, a_V1, b_V1, psk_V1), FrFact_Init_3e61b158_F(sidI_V1, ekI_V1), Timestamp_Init_3e61b158_F(sidI_V1, timestamp_V1), MAC_Init_3e61b158_F(sidI_V1, mac1I_V1), MAC_Init_3e61b158_F(sidI_V1, mac2I_V1)) && tami_ap_V1 == Multiset(SendSIDI_2716b91c_F(sidI_V1), OutFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))))), OutFact_Init_3e61b158_F(sidI_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) ==> acc(e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, timestamp_V1: D$9084e2f5_1186dc0d_, mac1I_V1: D$9084e2f5_1186dc0d_, mac2I_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(Setup_Init_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1), LtK_Init_3e61b158_F(sidI_V1, a_V1, kI_V1), LtpK_Init_3e61b158_F(sidI_V1, b_V1, pkR_V1), PsK_Init_3e61b158_F(sidI_V1, a_V1, b_V1, psk_V1), FrFact_Init_3e61b158_F(sidI_V1, ekI_V1), Timestamp_Init_3e61b158_F(sidI_V1, timestamp_V1), MAC_Init_3e61b158_F(sidI_V1, mac1I_V1), MAC_Init_3e61b158_F(sidI_V1, mac2I_V1)) && tami_ap_V1 == Multiset(SendSIDI_2716b91c_F(sidI_V1), OutFormat1_2716b91c_F(format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) && tami_rp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))))), OutFact_Init_3e61b158_F(sidI_V1, format1_1186dc0d_F(pubTerm_1186dc0d_F(const_1_pub_db7e1422_F()), sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), exp_1186dc0d_F(pkR_V1, kI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), timestamp_V1, h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), aead_1186dc0d_F(kdf2_1186dc0d_F(kdf1_1186dc0d_F(h__1186dc0d_F(info_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1)), exp_1186dc0d_F(pkR_V1, ekI_V1)), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), kI_V1), h_1186dc0d_F(h_1186dc0d_F(h_1186dc0d_F(h__1186dc0d_F(info_V1), prologue_V1), pkR_V1), exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), ekI_V1))))), mac1I_V1, mac2I_V1))) ==> acc(P_Init_c0f0ff6b_F(get_e_Handshake_St_Init_1_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, psk_V1, ekI_V1, timestamp_V1, mac1I_V1, mac2I_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, epkR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1), InFact_Init_3e61b158_F(sidI_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_ap_V1 == Multiset(Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))), InFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))) ==> acc(e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, kI_V1: D$9084e2f5_1186dc0d_, pkR_V1: D$9084e2f5_1186dc0d_, ekI_V1: D$9084e2f5_1186dc0d_, psk_V1: D$9084e2f5_1186dc0d_, c3_V1: D$9084e2f5_1186dc0d_, h4_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, epkR_V1: D$9084e2f5_1186dc0d_, mac1R_V1: D$9084e2f5_1186dc0d_, mac2R_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_1_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1), InFact_Init_3e61b158_F(sidI_V1, format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_ap_V1 == Multiset(Commit_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))))), Secret_2716b91c_F(a_V1, b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))), InFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), sidR_V1, sidI_V1, epkR_V1, aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(h4_V1, epkR_V1), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1))), mac1R_V1, mac2R_V1))) && tami_rp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(c3_V1, epkR_V1), exp_1186dc0d_F(epkR_V1, ekI_V1)), exp_1186dc0d_F(epkR_V1, kI_V1)), psk_V1)))) ==> acc(P_Init_c0f0ff6b_F(get_e_Handshake_St_Init_2_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, kI_V1, pkR_V1, ekI_V1, psk_V1, c3_V1, h4_V1, sidR_V1, epkR_V1, mac1R_V1, mac2R_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentFirstInit_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Running_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_2_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentFirstInit_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1, p_V1), Running_2716b91c_F(pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pair_1186dc0d_F(a_V1, pair_1186dc0d_F(b_V1, pair_1186dc0d_F(kIR_V1, kRI_V1)))), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), aead_1186dc0d_F(kIR_V1, pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(P_Init_c0f0ff6b_F(get_e_Send_First_Init_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_3_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Counter_Init_3e61b158_F(sidI_V1, nIR_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, nIR_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), Counter_Init_3e61b158_F(sidI_V1, nIR_V1), Message_Init_3e61b158_F(sidI_V1, p_V1)) && tami_ap_V1 == Multiset(SentInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), OutFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), OutFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), sidR_V1, nIR_V1, aead_1186dc0d_F(kIR_V1, nIR_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) ==> acc(P_Init_c0f0ff6b_F(get_e_Send_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, nIR_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiR_Init_4_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), InFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1)) ==> acc(e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), write)) && (forall sidI_V1: D$9084e2f5_1186dc0d_, a_V1: D$9084e2f5_1186dc0d_, b_V1: D$9084e2f5_1186dc0d_, prologue_V1: D$9084e2f5_1186dc0d_, info_V1: D$9084e2f5_1186dc0d_, sidR_V1: D$9084e2f5_1186dc0d_, kIR_V1: D$9084e2f5_1186dc0d_, kRI_V1: D$9084e2f5_1186dc0d_, x_V1: D$9084e2f5_1186dc0d_, nRI_V1: D$9084e2f5_1186dc0d_, p_V1: D$9084e2f5_1186dc0d_, tami_lp_V1: Multiset[D$226445f2_3e61b158_], tami_ap_V1: Multiset[D$46be403b_2716b91c_], tami_rp_V1: Multiset[D$226445f2_3e61b158_] :: { e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1) } M_3e61b158_F(tami_lp_V1, tami_s_V0) && tami_lp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1), InFact_Init_3e61b158_F(sidI_V1, format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_ap_V1 == Multiset(ReceivedInitLoop_2716b91c_F(sidI_V1, sidR_V1, a_V1, b_V1, kIR_V1, kRI_V1), AlreadyKnownSIDR_2716b91c_F(sidR_V1), InFormat4_2716b91c_F(format4_1186dc0d_F(pubTerm_1186dc0d_F(const_4_pub_db7e1422_F()), x_V1, nRI_V1, aead_1186dc0d_F(kRI_V1, nRI_V1, p_V1, pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()))))) && tami_rp_V1 == Multiset(St_Init_3_3e61b158_F(sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1)) ==> acc(P_Init_c0f0ff6b_F(get_e_Receive_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V1, a_V1, b_V1, prologue_V1, info_V1, sidR_V1, kIR_V1, kRI_V1, x_V1, nRI_V1, p_V1, tami_lp_V1, tami_ap_V1, tami_rp_V1), tami_rid_V0, U_3e61b158_F(tami_lp_V1, tami_rp_V1, tami_s_V0)), write))) +} + +predicate phiRG_Init_5_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && ((forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), write)) && (forall new_x_V1: D$9084e2f5_1186dc0d_ :: { e_OutFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1) } { OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) } ((OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1) in tami_s_V0)) > 0 ==> acc(P_Init_c0f0ff6b_F(get_e_OutFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0, new_x_V1), tami_rid_V0, (tami_s_V0 setminus Multiset(OutFact_Init_3e61b158_F(tami_rid_V0, new_x_V1)))), write))) +} + +predicate phiRF_Init_6_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_LtK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtK_Init_3e61b158_F(tami_rid_V0, get_e_LtK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_7_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_LtpK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_LtpK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(LtpK_Init_3e61b158_F(tami_rid_V0, get_e_LtpK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_LtpK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_8_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_PsK_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_PsK_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(PsK_Init_3e61b158_F(tami_rid_V0, get_e_PsK_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_PsK_r3_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_9_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_FrFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_FrFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(FrFact_Init_3e61b158_F(tami_rid_V0, get_e_FrFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_10_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Timestamp_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Timestamp_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Timestamp_Init_3e61b158_F(tami_rid_V0, get_e_Timestamp_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_11_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_MAC_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_MAC_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(MAC_Init_3e61b158_F(tami_rid_V0, get_e_MAC_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_12_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_InFact_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_InFact_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(InFact_Init_3e61b158_F(tami_rid_V0, get_e_InFact_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_13_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Message_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Message_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Message_Init_3e61b158_F(tami_rid_V0, get_e_Message_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_14_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Counter_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Counter_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Counter_Init_3e61b158_F(tami_rid_V0, get_e_Counter_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0))))), write)) +} + +predicate phiRF_Init_15_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, tami_rid_V0: D$9084e2f5_1186dc0d_, tami_s_V0: Multiset[D$226445f2_3e61b158_]) { + true && (acc(e_Setup_Init_c0f0ff6b_F(tami_p_V0, tami_rid_V0), write) && acc(P_Init_c0f0ff6b_F(get_e_Setup_Init_placeDst_c0f0ff6b_F(tami_p_V0, tami_rid_V0), tami_rid_V0, (tami_s_V0 union Multiset(Setup_Init_3e61b158_F(tami_rid_V0, get_e_Setup_Init_r1_c0f0ff6b_F(tami_p_V0, tami_rid_V0), get_e_Setup_Init_r2_c0f0ff6b_F(tami_p_V0, tami_rid_V0), pubTerm_1186dc0d_F(const_p_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_i_pub_db7e1422_F()))))), write)) +} + +predicate Mem_c7a67a88_F(b_V0: Slice[Ref]) + +predicate LibMem_c7a67a88_F(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) + +predicate RequestMem_c7a67a88_F(request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of7(request_V0): Ref).val$_Int, write) && acc((ShStructget1of7(request_V0): Ref).val$_Int, write) && acc((ShStructget2of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget5of7(request_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget6of7(request_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget2of7(request_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget3of7(request_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of7(request_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget2of7(request_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget3of7(request_V0): Ref).val$_Slice_Ref) == 48 && Size_c7a67a88_F((ShStructget4of7(request_V0): Ref).val$_Slice_Ref) == 28 && (!((ShStructget5of7(request_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget5of7(request_V0): Ref).val$_Slice_Ref) == 16) && (!((ShStructget6of7(request_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget6of7(request_V0): Ref).val$_Slice_Ref) == 16)) +} + +predicate ResponseMem_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of7(response_V0): Ref).val$_Int, write) && acc((ShStructget1of7(response_V0): Ref).val$_Int, write) && acc((ShStructget2of7(response_V0): Ref).val$_Int, write) && acc((ShStructget3of7(response_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of7(response_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget5of7(response_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget6of7(response_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of7(response_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget3of7(response_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget4of7(response_V0): Ref).val$_Slice_Ref) == 16 && (!((ShStructget5of7(response_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget5of7(response_V0): Ref).val$_Slice_Ref) == 16) && (!((ShStructget6of7(response_V0): Ref).val$_Slice_Ref == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget6of7(response_V0): Ref).val$_Slice_Ref) == 16)) +} + +predicate ConnectionMem_c7a67a88_F(conn_V0: ShStruct4[Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of4(conn_V0): Ref).val$_Int, write) && acc((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of4(conn_V0): Ref).val$_Int, write) && acc(Mem_c7a67a88_F((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget1of4(conn_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget2of4(conn_V0): Ref).val$_Slice_Ref) == 32) +} + +predicate HandshakeArgsMem_c7a67a88_F(args_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]) { + true && (true && acc((ShStructget0of5(args_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(args_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(args_V0): Ref).val$_Int, write) && acc((ShStructget3of5(args_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of5(args_V0): Ref).val$_Slice_Ref, write) && acc(Mem_c7a67a88_F((ShStructget0of5(args_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget1of5(args_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget3of5(args_V0): Ref).val$_Slice_Ref), write) && acc(Mem_c7a67a88_F((ShStructget4of5(args_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget0of5(args_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget1of5(args_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget3of5(args_V0): Ref).val$_Slice_Ref) == 32 && Size_c7a67a88_F((ShStructget4of5(args_V0): Ref).val$_Slice_Ref) == 32 && Abs_c7a67a88_F((ShStructget3of5(args_V0): Ref).val$_Slice_Ref) == expB_b3aa12e7_F(generatorB_b3aa12e7_F(), Abs_c7a67a88_F((ShStructget1of5(args_V0): Ref).val$_Slice_Ref))) +} + +predicate patternRequirement1EPKRWitness_8142c2d2_F(t_V0: D$9084e2f5_1186dc0d_) + +predicate patternRequirement3EPKIWitness_8142c2d2_F(t_V0: D$9084e2f5_1186dc0d_) + +predicate patternRequirement4NonceWitness_8142c2d2_F(t_V0: D$9084e2f5_1186dc0d_) + +method RunResponder_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], sid_V0: Int, a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F((ShStructget0of4(responder_V0): ShStruct4[Ref, Ref, Ref, Ref])), write) && (true && acc((ShStructget0of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int, write) && acc((ShStructget3of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget4of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write)) && acc((ShStructget2of4(responder_V0): Ref).val$_Int, write) && acc((ShStructget3of4(responder_V0): Ref).val$_Int, write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0)), Multiset[D$226445f2_3e61b158_]()), write) + requires !(sid_V0 == 1) && !(sid_V0 == 2) && !(sid_V0 == 4) +{ + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, sid_V0_CN1: uint32°, a_V0_CN2: uint32°, b_V0_CN3: uint32°, t_V0_CN4: Place_c3672ae3_T° + var t_V0_CN4: D$fe170ee1_c3672ae3_ + var b_V0_CN3: Int + var a_V0_CN2: Int + var sid_V0_CN1: Int + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init sid_V0_CN1 + inhale sid_V0_CN1 == 0 + + // init a_V0_CN2 + inhale a_V0_CN2 == 0 + + // init b_V0_CN3 + inhale b_V0_CN3 == 0 + + // init t_V0_CN4 + inhale t_V0_CN4 == dfltD$fe170ee1_c3672ae3_() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // sid_V0_CN1 = sid_V0 + sid_V0_CN1 := sid_V0 + + // a_V0_CN2 = a_V0 + a_V0_CN2 := a_V0 + + // b_V0_CN3 = b_V0 + b_V0_CN3 := b_V0 + + // t_V0_CN4 = t_V0 + t_V0_CN4 := t_V0 + + // decl N7: bool°, N8: seq[Term_1186dc0d_T]°, N9: Place_c3672ae3_T°, N10: mset[Fact_3e61b158_T]°, ok_V1: bool°, keys_V1: seq[Term_1186dc0d_T]°, t1_V1: Place_c3672ae3_T°, s1_V1: mset[Fact_3e61b158_T]°, N11: *Connection_c7a67a88_T°, N12: bool°, N13: seq[Term_1186dc0d_T]°, N14: Place_c3672ae3_T°, N15: mset[Fact_3e61b158_T]°, keypair_V1: *Connection_c7a67a88_T°, v1_V1: seq[Term_1186dc0d_T]° + var v1_V1: Seq[D$9084e2f5_1186dc0d_] + var keypair_V1: ShStruct4[Ref, Ref, Ref, Ref] + var N15: Multiset[D$226445f2_3e61b158_] + var N14: D$fe170ee1_c3672ae3_ + var N13: Seq[D$9084e2f5_1186dc0d_] + var N12: Bool + var N11: ShStruct4[Ref, Ref, Ref, Ref] + var s1_V1: Multiset[D$226445f2_3e61b158_] + var t1_V1: D$fe170ee1_c3672ae3_ + var keys_V1: Seq[D$9084e2f5_1186dc0d_] + var ok_V1: Bool + var N10: Multiset[D$226445f2_3e61b158_] + var N9: D$fe170ee1_c3672ae3_ + var N8: Seq[D$9084e2f5_1186dc0d_] + var N7: Bool + + // N7, N8, N9, N10 = responder_V0_CN0getInitialState(sid_V0_CN1, a_V0_CN2, b_V0_CN3, t_V0_CN4) + N7, N8, N9, N10 := getInitialState_22e24f7d_PMResponder(responder_V0_CN0, sid_V0_CN1, a_V0_CN2, b_V0_CN3, t_V0_CN4) + + // init ok_V1 + inhale ok_V1 == false + + // init keys_V1 + inhale keys_V1 == Seq[D$9084e2f5_1186dc0d_]() + + // init t1_V1 + inhale t1_V1 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V1 + inhale s1_V1 == Multiset[D$226445f2_3e61b158_]() + + // ok_V1 = N7 + ok_V1 := N7 + + // keys_V1 = N8 + keys_V1 := N8 + + // t1_V1 = N9 + t1_V1 := N9 + + // s1_V1 = N10 + s1_V1 := N10 + + // if(!ok_V1) {...} else {...} + if (!ok_V1) { + + // decl + + // return + goto returnLabel + } + + // N11, N12, N13, N14, N15 = responder_V0_CN0runHandshake(keys_V1, t1_V1, s1_V1) + N11, N12, N13, N14, N15 := runHandshake_22e24f7d_PMResponder(responder_V0_CN0, keys_V1, t1_V1, s1_V1) + + // init keypair_V1 + inhale keypair_V1 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init v1_V1 + inhale v1_V1 == Seq[D$9084e2f5_1186dc0d_]() + + // keypair_V1 = N11 + keypair_V1 := N11 + + // ok_V1 = N12 + ok_V1 := N12 + + // v1_V1 = N13 + v1_V1 := N13 + + // t1_V1 = N14 + t1_V1 := N14 + + // s1_V1 = N15 + s1_V1 := N15 + + // if(!ok_V1) {...} else {...} + if (!ok_V1) { + + // decl + + // return + goto returnLabel + } + + // go responder_V0_CN0.forwardPackets(keypair_V1, v1_V1, t1_V1, s1_V1) + exhale true && (acc(ResponderMem_22e24f7d_F(responder_V0_CN0), write) && acc(ConnectionMem_c7a67a88_F(keypair_V1), write)) && (acc(token_c3672ae3_F(t1_V1), write) && acc(P_Resp_c0f0ff6b_F(t1_V1, getRid_22e24f7d_PMResponder(responder_V0_CN0), s1_V1), write)) && |v1_V1| == 6 && 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0_CN0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), v1_V1[0], v1_V1[4], v1_V1[5]) in s1_V1)) && (gamma_b3aa12e7_F(v1_V1[0]) == ConnectionSidI_c7a67a88_F(keypair_V1) && gamma_b3aa12e7_F(v1_V1[1]) == getKR_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v1_V1[2]) == getPkI_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v1_V1[3]) == getPsk_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v1_V1[4]) == ConnectionKRI_c7a67a88_F(keypair_V1) && gamma_b3aa12e7_F(v1_V1[5]) == ConnectionKIR_c7a67a88_F(keypair_V1)) && ConnectionNonceVal_c7a67a88_F(keypair_V1) == 0 + label returnLabel +} + +method getInitialState_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], sid_V0: Int, a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_) returns (ok_V0: Bool, keys_V0: Seq[D$9084e2f5_1186dc0d_], t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(LibMem_c7a67a88_F((ShStructget0of4(responder_V0): ShStruct4[Ref, Ref, Ref, Ref])), write) && (true && acc((ShStructget0of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int, write) && acc((ShStructget3of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write) && acc((ShStructget4of5((ShStructget1of4(responder_V0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref, write)) && acc((ShStructget2of4(responder_V0): Ref).val$_Int, write) && acc((ShStructget3of4(responder_V0): Ref).val$_Int, write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0)), Multiset[D$226445f2_3e61b158_]()), write) + requires !(sid_V0 == 1) && !(sid_V0 == 2) && !(sid_V0 == 4) + ensures ok_V0 ==> acc(ResponderMem_22e24f7d_F(responder_V0), write) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Resp_c0f0ff6b_F(t1_V0, getRid_22e24f7d_PMResponder(responder_V0), s1_V0), write) + ensures ok_V0 ==> |keys_V0| == 3 + ensures ok_V0 ==> 0 < ((LtK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), keys_V0[0]) in s1_V0)) && gamma_b3aa12e7_F(keys_V0[0]) == getKR_22e24f7d_F(responder_V0) + ensures ok_V0 ==> 0 < ((LtpK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), keys_V0[1]) in s1_V0)) && gamma_b3aa12e7_F(keys_V0[1]) == getPkI_22e24f7d_F(responder_V0) + ensures ok_V0 ==> 0 < ((PsK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), keys_V0[2]) in s1_V0)) && gamma_b3aa12e7_F(keys_V0[2]) == getPsk_22e24f7d_F(responder_V0) + ensures ok_V0 ==> 0 < ((Setup_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0))) in s1_V0)) +{ + inhale ok_V0 == false + inhale keys_V0 == Seq[D$9084e2f5_1186dc0d_]() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, sid_V0_CN1: uint32°, a_V0_CN2: uint32°, b_V0_CN3: uint32°, t_V0_CN4: Place_c3672ae3_T°, ok_V0_CN5: bool°, keys_V0_CN6: seq[Term_1186dc0d_T]°, t1_V0_CN7: Place_c3672ae3_T°, s1_V0_CN8: mset[Fact_3e61b158_T]° + var s1_V0_CN8: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN7: D$fe170ee1_c3672ae3_ + var keys_V0_CN6: Seq[D$9084e2f5_1186dc0d_] + var ok_V0_CN5: Bool + var t_V0_CN4: D$fe170ee1_c3672ae3_ + var b_V0_CN3: Int + var a_V0_CN2: Int + var sid_V0_CN1: Int + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init sid_V0_CN1 + inhale sid_V0_CN1 == 0 + + // init a_V0_CN2 + inhale a_V0_CN2 == 0 + + // init b_V0_CN3 + inhale b_V0_CN3 == 0 + + // init t_V0_CN4 + inhale t_V0_CN4 == dfltD$fe170ee1_c3672ae3_() + + // init ok_V0_CN5 + inhale ok_V0_CN5 == false + + // init keys_V0_CN6 + inhale keys_V0_CN6 == Seq[D$9084e2f5_1186dc0d_]() + + // init t1_V0_CN7 + inhale t1_V0_CN7 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN8 + inhale s1_V0_CN8 == Multiset[D$226445f2_3e61b158_]() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // sid_V0_CN1 = sid_V0 + sid_V0_CN1 := sid_V0 + + // a_V0_CN2 = a_V0 + a_V0_CN2 := a_V0 + + // b_V0_CN3 = b_V0 + b_V0_CN3 := b_V0 + + // t_V0_CN4 = t_V0 + t_V0_CN4 := t_V0 + + // decl rid_V1: Term_1186dc0d_T°, pp_V1: Term_1186dc0d_T°, kRT_V1: Term_1186dc0d_T°, N52: bool°, N53: uint32°, N54: ByteString_c7a67a88_T°, N55: Place_c3672ae3_T°, bX_V1: uint32°, ltk_V1: ByteString_c7a67a88_T°, pkIT_V1: Term_1186dc0d_T°, N63: bool°, N64: uint32°, N65: ByteString_c7a67a88_T°, N66: Place_c3672ae3_T°, aX_V1: uint32°, ltpk_V1: ByteString_c7a67a88_T°, pskT_V1: Term_1186dc0d_T°, N71: bool°, N72: uint32°, N73: uint32°, N74: ByteString_c7a67a88_T°, N75: Place_c3672ae3_T°, bY_V1: uint32°, psk_V1: ByteString_c7a67a88_T°, N81: ByteString_c7a67a88_T°, N83: bool°, N84: uint32°, N85: uint32°, N86: Place_c3672ae3_T° + var N86: D$fe170ee1_c3672ae3_ + var N85: Int + var N84: Int + var N83: Bool + var N81: Slice[Ref] + var psk_V1: Slice[Ref] + var bY_V1: Int + var N75: D$fe170ee1_c3672ae3_ + var N74: Slice[Ref] + var N73: Int + var N72: Int + var N71: Bool + var pskT_V1: D$9084e2f5_1186dc0d_ + var ltpk_V1: Slice[Ref] + var aX_V1: Int + var N66: D$fe170ee1_c3672ae3_ + var N65: Slice[Ref] + var N64: Int + var N63: Bool + var pkIT_V1: D$9084e2f5_1186dc0d_ + var ltk_V1: Slice[Ref] + var bX_V1: Int + var N55: D$fe170ee1_c3672ae3_ + var N54: Slice[Ref] + var N53: Int + var N52: Bool + var kRT_V1: D$9084e2f5_1186dc0d_ + var pp_V1: D$9084e2f5_1186dc0d_ + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0_CN1)) + rid_V1 := freshTerm_1186dc0d_F(fr_integer32_9e8b0260_F(sid_V0_CN1)) + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = tuple4_d2674021_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), prologueTerm_d2674021_F(), infoTerm_d2674021_F()) + pp_V1 := tuple4_d2674021_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), prologueTerm_d2674021_F(), infoTerm_d2674021_F()) + + // t1_V0_CN7 = t_V0_CN4 + t1_V0_CN7 := t_V0_CN4 + + // s1_V0_CN8 = mset[Fact_3e61b158_T] { } + s1_V0_CN8 := Multiset[D$226445f2_3e61b158_]() + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiRF_Resp_6_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiRF_Resp_6_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // init kRT_V1 + inhale kRT_V1 == dfltD$9084e2f5_1186dc0d_() + + // kRT_V1 = get_e_LtK_r2_c0f0ff6b_F(t1_V0_CN7, rid_V1) + kRT_V1 := get_e_LtK_r2_c0f0ff6b_F(t1_V0_CN7, rid_V1) + + // N52, N53, N54, N55 = &*responder_V0_CN0.LibStateAGetLtKBio(b_V0_CN3, t1_V0_CN7, rid_V1) + N52, N53, N54, N55 := GetLtKBio_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), b_V0_CN3, t1_V0_CN7, rid_V1) + + // init bX_V1 + inhale bX_V1 == 0 + + // init ltk_V1 + inhale ltk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ok_V0_CN5 = N52 + ok_V0_CN5 := N52 + + // bX_V1 = N53 + bX_V1 := N53 + + // ltk_V1 = N54 + ltk_V1 := N54 + + // t1_V0_CN7 = N55 + t1_V0_CN7 := N55 + + // if(!ok_V0_CN5 || b_V0_CN3 != bX_V1 || len(ltk_V1) != 32) {...} else {...} + if (!ok_V0_CN5 || !(b_V0_CN3 == bX_V1) || !((slen(ltk_V1): Int) == 32)) { + + // decl + + // ok_V0_CN5 = false + ok_V0_CN5 := false + + // return + goto returnLabel + } + + // s1_V0_CN8 = s1_V0_CN8 union mset[Fact_3e61b158_T] { LtK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), kRT_V1) } + s1_V0_CN8 := (s1_V0_CN8 union Multiset(LtK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), kRT_V1))) + + // assert 0 < LtK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), kRT_V1) in s1_V0_CN8 + assert 0 < ((LtK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), kRT_V1) in s1_V0_CN8)) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiRF_Resp_7_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiRF_Resp_7_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // init pkIT_V1 + inhale pkIT_V1 == dfltD$9084e2f5_1186dc0d_() + + // pkIT_V1 = get_e_LtpK_r2_c0f0ff6b_F(t1_V0_CN7, rid_V1) + pkIT_V1 := get_e_LtpK_r2_c0f0ff6b_F(t1_V0_CN7, rid_V1) + + // N63, N64, N65, N66 = &*responder_V0_CN0.LibStateAGetLtpKBio(a_V0_CN2, t1_V0_CN7, rid_V1) + N63, N64, N65, N66 := GetLtpKBio_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), a_V0_CN2, t1_V0_CN7, rid_V1) + + // init aX_V1 + inhale aX_V1 == 0 + + // init ltpk_V1 + inhale ltpk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ok_V0_CN5 = N63 + ok_V0_CN5 := N63 + + // aX_V1 = N64 + aX_V1 := N64 + + // ltpk_V1 = N65 + ltpk_V1 := N65 + + // t1_V0_CN7 = N66 + t1_V0_CN7 := N66 + + // if(!ok_V0_CN5 || a_V0_CN2 != aX_V1 || len(ltpk_V1) != 32) {...} else {...} + if (!ok_V0_CN5 || !(a_V0_CN2 == aX_V1) || !((slen(ltpk_V1): Int) == 32)) { + + // decl + + // ok_V0_CN5 = false + ok_V0_CN5 := false + + // return + goto returnLabel + } + + // s1_V0_CN8 = s1_V0_CN8 union mset[Fact_3e61b158_T] { LtpK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pkIT_V1) } + s1_V0_CN8 := (s1_V0_CN8 union Multiset(LtpK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pkIT_V1))) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiRF_Resp_8_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiRF_Resp_8_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // init pskT_V1 + inhale pskT_V1 == dfltD$9084e2f5_1186dc0d_() + + // pskT_V1 = get_e_PsK_r3_c0f0ff6b_F(t1_V0_CN7, rid_V1) + pskT_V1 := get_e_PsK_r3_c0f0ff6b_F(t1_V0_CN7, rid_V1) + + // N71, N72, N73, N74, N75 = &*responder_V0_CN0.LibStateAGetPsKBio(a_V0_CN2, b_V0_CN3, t1_V0_CN7, rid_V1) + N71, N72, N73, N74, N75 := GetPsKBio_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), a_V0_CN2, b_V0_CN3, t1_V0_CN7, rid_V1) + + // init bY_V1 + inhale bY_V1 == 0 + + // init psk_V1 + inhale psk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ok_V0_CN5 = N71 + ok_V0_CN5 := N71 + + // aX_V1 = N72 + aX_V1 := N72 + + // bY_V1 = N73 + bY_V1 := N73 + + // psk_V1 = N74 + psk_V1 := N74 + + // t1_V0_CN7 = N75 + t1_V0_CN7 := N75 + + // if(!ok_V0_CN5 || a_V0_CN2 != aX_V1 || b_V0_CN3 != bY_V1 || len(psk_V1) != 32) {...} else {...} + if (!ok_V0_CN5 || !(a_V0_CN2 == aX_V1) || !(b_V0_CN3 == bY_V1) || !((slen(psk_V1): Int) == 32)) { + + // decl + + // ok_V0_CN5 = false + ok_V0_CN5 := false + + // return + goto returnLabel + } + + // s1_V0_CN8 = s1_V0_CN8 union mset[Fact_3e61b158_T] { PsK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), pskT_V1) } + s1_V0_CN8 := (s1_V0_CN8 union Multiset(PsK_Resp_3e61b158_F(rid_V1, pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(a_V0_CN2)), pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b_V0_CN3)), pskT_V1))) + + // *responder_V0_CN0.HandshakeInfoA.PresharedKeyA = psk_V1 + (ShStructget0of5((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := psk_V1 + + // *responder_V0_CN0.HandshakeInfoA.PrivateKeyA = ltk_V1 + (ShStructget1of5((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := ltk_V1 + + // *responder_V0_CN0.HandshakeInfoA.LocalIndexA = sid_V0_CN1 + (ShStructget2of5((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int := sid_V0_CN1 + + // N81 = PublicKey_c7a67a88_F(ltk_V1) + N81 := PublicKey_c7a67a88_F(ltk_V1) + + // *responder_V0_CN0.HandshakeInfoA.LocalStaticA = N81 + (ShStructget3of5((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := N81 + + // *responder_V0_CN0.HandshakeInfoA.RemoteStaticA = ltpk_V1 + (ShStructget4of5((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Slice_Ref := ltpk_V1 + + // *responder_V0_CN0.aA = a_V0_CN2 + (ShStructget2of4(responder_V0_CN0): Ref).val$_Int := a_V0_CN2 + + // *responder_V0_CN0.bA = b_V0_CN3 + (ShStructget3of4(responder_V0_CN0): Ref).val$_Int := b_V0_CN3 + + // fold acc(HandshakeArgsMem_c7a67a88_F(&*responder_V0_CN0.HandshakeInfoA)) + fold acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), write) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0)) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), write) + + // assert pp_V1 == responder_V0_CN0.getPP() + assert pp_V1 == getPP_22e24f7d_PMResponder(responder_V0_CN0) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiRF_Resp_14_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiRF_Resp_14_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // N83, N84, N85, N86 = GetResp0R_c7a67a88_F(a_V0_CN2, b_V0_CN3, t1_V0_CN7, rid_V1) + N83, N84, N85, N86 := GetResp0R_c7a67a88_F(a_V0_CN2, b_V0_CN3, t1_V0_CN7, rid_V1) + + // ok_V0_CN5 = N83 + ok_V0_CN5 := N83 + + // aX_V1 = N84 + aX_V1 := N84 + + // bX_V1 = N85 + bX_V1 := N85 + + // t1_V0_CN7 = N86 + t1_V0_CN7 := N86 + + // if(a_V0_CN2 != aX_V1 || b_V0_CN3 != bX_V1) {...} else {...} + if (!(a_V0_CN2 == aX_V1) || !(b_V0_CN3 == bX_V1)) { + + // decl + + // ok_V0_CN5 = false + ok_V0_CN5 := false + } + + // s1_V0_CN8 = s1_V0_CN8 union mset[Fact_3e61b158_T] { Setup_Resp_3e61b158_F(rid_V1, getFirst_d2674021_F(pp_V1), getSecond_d2674021_F(pp_V1), getThird_d2674021_F(pp_V1), getForth_d2674021_F(pp_V1)) } + s1_V0_CN8 := (s1_V0_CN8 union Multiset(Setup_Resp_3e61b158_F(rid_V1, getFirst_d2674021_F(pp_V1), getSecond_d2674021_F(pp_V1), getThird_d2674021_F(pp_V1), getForth_d2674021_F(pp_V1)))) + + // keys_V0_CN6 = seq[Term_1186dc0d_T] { 0:kRT_V1, 1:pkIT_V1, 2:pskT_V1 } + keys_V0_CN6 := Seq(kRT_V1, pkIT_V1, pskT_V1) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN5 + ok_V0 := ok_V0_CN5 + + // keys_V0 = keys_V0_CN6 + keys_V0 := keys_V0_CN6 + + // t1_V0 = t1_V0_CN7 + t1_V0 := t1_V0_CN7 + + // s1_V0 = s1_V0_CN8 + s1_V0 := s1_V0_CN8 +} + +method runHandshake_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], v_V0: Seq[D$9084e2f5_1186dc0d_], t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (conn_V0: ShStruct4[Ref, Ref, Ref, Ref], ok_V0: Bool, v1_V0: Seq[D$9084e2f5_1186dc0d_], t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 2) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, getRid_22e24f7d_PMResponder(responder_V0), s_V0), write) + requires |v_V0| == 3 + requires 0 < ((LtK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0]) in s_V0)) && gamma_b3aa12e7_F(v_V0[0]) == getKR_22e24f7d_F(responder_V0) + requires 0 < ((LtpK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[1]) in s_V0)) && gamma_b3aa12e7_F(v_V0[1]) == getPkI_22e24f7d_F(responder_V0) + requires 0 < ((PsK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[2]) in s_V0)) && gamma_b3aa12e7_F(v_V0[2]) == getPsk_22e24f7d_F(responder_V0) + requires 0 < ((Setup_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0))) in s_V0)) + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 2) + ensures ok_V0 ==> acc(ConnectionMem_c7a67a88_F(conn_V0), write) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Resp_c0f0ff6b_F(t1_V0, getRid_22e24f7d_PMResponder(responder_V0), s1_V0), write) + ensures ok_V0 ==> |v1_V0| == 6 + ensures ok_V0 ==> 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v1_V0[0], v1_V0[4], v1_V0[5]) in s1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(v1_V0[0]) == ConnectionSidI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v1_V0[1]) == getKR_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[2]) == getPkI_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[3]) == getPsk_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[4]) == ConnectionKRI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v1_V0[5]) == ConnectionKIR_c7a67a88_F(conn_V0) + ensures ok_V0 ==> ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 +{ + inhale conn_V0 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + inhale ok_V0 == false + inhale v1_V0 == Seq[D$9084e2f5_1186dc0d_]() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, v_V0_CN1: seq[Term_1186dc0d_T]°, t_V0_CN2: Place_c3672ae3_T°, s_V0_CN3: mset[Fact_3e61b158_T]°, conn_V0_CN4: *Connection_c7a67a88_T°, ok_V0_CN5: bool°, v1_V0_CN6: seq[Term_1186dc0d_T]°, t1_V0_CN7: Place_c3672ae3_T°, s1_V0_CN8: mset[Fact_3e61b158_T]° + var s1_V0_CN8: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN7: D$fe170ee1_c3672ae3_ + var v1_V0_CN6: Seq[D$9084e2f5_1186dc0d_] + var ok_V0_CN5: Bool + var conn_V0_CN4: ShStruct4[Ref, Ref, Ref, Ref] + var s_V0_CN3: Multiset[D$226445f2_3e61b158_] + var t_V0_CN2: D$fe170ee1_c3672ae3_ + var v_V0_CN1: Seq[D$9084e2f5_1186dc0d_] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init v_V0_CN1 + inhale v_V0_CN1 == Seq[D$9084e2f5_1186dc0d_]() + + // init t_V0_CN2 + inhale t_V0_CN2 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN3 + inhale s_V0_CN3 == Multiset[D$226445f2_3e61b158_]() + + // init conn_V0_CN4 + inhale conn_V0_CN4 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init ok_V0_CN5 + inhale ok_V0_CN5 == false + + // init v1_V0_CN6 + inhale v1_V0_CN6 == Seq[D$9084e2f5_1186dc0d_]() + + // init t1_V0_CN7 + inhale t1_V0_CN7 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN8 + inhale s1_V0_CN8 == Multiset[D$226445f2_3e61b158_]() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // v_V0_CN1 = v_V0 + v_V0_CN1 := v_V0 + + // t_V0_CN2 = t_V0 + t_V0_CN2 := t_V0 + + // s_V0_CN3 = s_V0 + s_V0_CN3 := s_V0 + + // decl N64: *Handshake_c7a67a88_T°, handshake_V1: *Handshake_c7a67a88_T°, N65: bool°, N66: seq[Term_1186dc0d_T]°, N67: Place_c3672ae3_T°, N68: mset[Fact_3e61b158_T]°, N69: bool°, N70: seq[Term_1186dc0d_T]°, N71: Place_c3672ae3_T°, N72: mset[Fact_3e61b158_T]°, N73: *Connection_c7a67a88_T° + var N73: ShStruct4[Ref, Ref, Ref, Ref] + var N72: Multiset[D$226445f2_3e61b158_] + var N71: D$fe170ee1_c3672ae3_ + var N70: Seq[D$9084e2f5_1186dc0d_] + var N69: Bool + var N68: Multiset[D$226445f2_3e61b158_] + var N67: D$fe170ee1_c3672ae3_ + var N66: Seq[D$9084e2f5_1186dc0d_] + var N65: Bool + var handshake_V1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var N64: ShStruct5[Ref, Ref, Ref, Ref, Ref] + + // N64 = new(Handshake_c7a67a88_T{dflt[ByteString_c7a67a88_T], dflt[ByteString_c7a67a88_T], dflt[ByteString_c7a67a88_T], dflt[uint32], dflt[ByteString_c7a67a88_T]}) + var fn$$0: ShStruct5[Ref, Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of5(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(fn$$0): Ref).val$_Int, write) && acc((ShStructget4of5(fn$$0): Ref).val$_Slice_Ref, write) && (true && (ShStructget0of5(fn$$0): Ref).val$_Slice_Ref == (get0of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref]) && (ShStructget1of5(fn$$0): Ref).val$_Slice_Ref == (get1of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref]) && (ShStructget2of5(fn$$0): Ref).val$_Slice_Ref == (get2of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref]) && (ShStructget3of5(fn$$0): Ref).val$_Int == (get3of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Int) && (ShStructget4of5(fn$$0): Ref).val$_Slice_Ref == (get4of5((tuple5(sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$(), 0, sliceDefault_Intbyte$$$_S_$$$()): Tuple5[Slice[Ref], Slice[Ref], Slice[Ref], Int, Slice[Ref]])): Slice[Ref])) + N64 := fn$$0 + + // init handshake_V1 + inhale handshake_V1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // handshake_V1 = N64 + handshake_V1 := N64 + + // N65, N66, N67, N68 = responder_V0_CN0receiveRequest(handshake_V1, v_V0_CN1, t_V0_CN2, s_V0_CN3) + N65, N66, N67, N68 := receiveRequest_22e24f7d_PMResponder(responder_V0_CN0, handshake_V1, v_V0_CN1, t_V0_CN2, s_V0_CN3) + + // ok_V0_CN5 = N65 + ok_V0_CN5 := N65 + + // v1_V0_CN6 = N66 + v1_V0_CN6 := N66 + + // t1_V0_CN7 = N67 + t1_V0_CN7 := N67 + + // s1_V0_CN8 = N68 + s1_V0_CN8 := N68 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // &*responder_V0_CN0.LibStateAPrintln("Success Consuming Request") + Println_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), stringLit5375636365737320436f6e73756d696e672052657175657374()) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // N69, N70, N71, N72 = responder_V0_CN0sendResponse(handshake_V1, v1_V0_CN6, t1_V0_CN7, s1_V0_CN8) + N69, N70, N71, N72 := sendResponse_22e24f7d_PMResponder(responder_V0_CN0, handshake_V1, v1_V0_CN6, t1_V0_CN7, s1_V0_CN8) + + // ok_V0_CN5 = N69 + ok_V0_CN5 := N69 + + // v1_V0_CN6 = N70 + v1_V0_CN6 := N70 + + // t1_V0_CN7 = N71 + t1_V0_CN7 := N71 + + // s1_V0_CN8 = N72 + s1_V0_CN8 := N72 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // &*responder_V0_CN0.LibStateAPrintln("Success Sending Response") + Println_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), stringLit537563636573732053656e64696e6720526573706f6e7365()) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // N73 = responder_V0_CN0beginSymmetricSession(handshake_V1) + N73 := beginSymmetricSession_22e24f7d_PMResponder(responder_V0_CN0, handshake_V1) + + // conn_V0_CN4 = N73 + conn_V0_CN4 := N73 + + // v1_V0_CN6 = seq[Term_1186dc0d_T] { 0:v1_V0_CN6[0], 5:kdf2__d2674021_F(v1_V0_CN6[4]), 1:v1_V0_CN6[1], 2:v1_V0_CN6[2], 3:v1_V0_CN6[3], 4:kdf1__d2674021_F(v1_V0_CN6[4]) } + v1_V0_CN6 := Seq(v1_V0_CN6[0], v1_V0_CN6[1], v1_V0_CN6[2], v1_V0_CN6[3], kdf1__d2674021_F(v1_V0_CN6[4]), kdf2__d2674021_F(v1_V0_CN6[4])) + + // return + goto returnLabel + label returnLabel + + // conn_V0 = conn_V0_CN4 + conn_V0 := conn_V0_CN4 + + // ok_V0 = ok_V0_CN5 + ok_V0 := ok_V0_CN5 + + // v1_V0 = v1_V0_CN6 + v1_V0 := v1_V0_CN6 + + // t1_V0 = t1_V0_CN7 + t1_V0 := t1_V0_CN7 + + // s1_V0 = s1_V0_CN8 + s1_V0 := s1_V0_CN8 +} + +method receiveRequest_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], v_V0: Seq[D$9084e2f5_1186dc0d_], t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, v1_V0: Seq[D$9084e2f5_1186dc0d_], t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 4) && (true && acc((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(hs_V0): Ref).val$_Int, write) && acc((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref, write)) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, getRid_22e24f7d_PMResponder(responder_V0), s_V0), write) + requires |v_V0| == 3 + requires 0 < ((LtK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0]) in s_V0)) && gamma_b3aa12e7_F(v_V0[0]) == getKR_22e24f7d_F(responder_V0) + requires 0 < ((LtpK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[1]) in s_V0)) && gamma_b3aa12e7_F(v_V0[1]) == getPkI_22e24f7d_F(responder_V0) + requires 0 < ((PsK_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[2]) in s_V0)) && gamma_b3aa12e7_F(v_V0[2]) == getPsk_22e24f7d_F(responder_V0) + requires 0 < ((Setup_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0))) in s_V0)) + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 4) + ensures ok_V0 ==> acc(HandshakeMem1_22e24f7d_F(hs_V0), write) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Resp_c0f0ff6b_F(t1_V0, getRid_22e24f7d_PMResponder(responder_V0), s1_V0), write) + ensures ok_V0 ==> |v1_V0| == 7 + ensures ok_V0 ==> 0 < ((St_Resp_1_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v1_V0[2], v1_V0[1], v1_V0[4], v1_V0[3], v1_V0[5], v1_V0[6], v1_V0[0]) in s1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(v1_V0[0]) == getSidI1_22e24f7d_F(hs_V0) && gamma_b3aa12e7_F(v1_V0[1]) == getKR_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[2]) == getPkI_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[3]) == getPsk_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[4]) == getEpkI1_22e24f7d_F(hs_V0) && gamma_b3aa12e7_F(v1_V0[5]) == getNKey1_22e24f7d_F(hs_V0) && gamma_b3aa12e7_F(v1_V0[6]) == getNHash1_22e24f7d_F(hs_V0) +{ + inhale ok_V0 == false + inhale v1_V0 == Seq[D$9084e2f5_1186dc0d_]() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, v_V0_CN2: seq[Term_1186dc0d_T]°, t_V0_CN3: Place_c3672ae3_T°, s_V0_CN4: mset[Fact_3e61b158_T]°, ok_V0_CN5: bool°, v1_V0_CN6: seq[Term_1186dc0d_T]°, t1_V0_CN7: Place_c3672ae3_T°, s1_V0_CN8: mset[Fact_3e61b158_T]° + var s1_V0_CN8: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN7: D$fe170ee1_c3672ae3_ + var v1_V0_CN6: Seq[D$9084e2f5_1186dc0d_] + var ok_V0_CN5: Bool + var s_V0_CN4: Multiset[D$226445f2_3e61b158_] + var t_V0_CN3: D$fe170ee1_c3672ae3_ + var v_V0_CN2: Seq[D$9084e2f5_1186dc0d_] + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init v_V0_CN2 + inhale v_V0_CN2 == Seq[D$9084e2f5_1186dc0d_]() + + // init t_V0_CN3 + inhale t_V0_CN3 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN4 + inhale s_V0_CN4 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN5 + inhale ok_V0_CN5 == false + + // init v1_V0_CN6 + inhale v1_V0_CN6 == Seq[D$9084e2f5_1186dc0d_]() + + // init t1_V0_CN7 + inhale t1_V0_CN7 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN8 + inhale s1_V0_CN8 == Multiset[D$226445f2_3e61b158_]() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // v_V0_CN2 = v_V0 + v_V0_CN2 := v_V0 + + // t_V0_CN3 = t_V0 + t_V0_CN3 := t_V0 + + // s_V0_CN4 = s_V0 + s_V0_CN4 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, pp_V1: Term_1186dc0d_T°, N67: ByteString_c7a67a88_T°, N68: bool°, N69: Term_1186dc0d_T°, N70: Place_c3672ae3_T°, packet_V1: ByteString_c7a67a88_T°, msg_V1: Term_1186dc0d_T°, b_V1: Bytes_b3aa12e7_T°, N73: *Request_c7a67a88_T°, N74: bool°, request_V1: *Request_c7a67a88_T°, BeforeConsume_L, ts_V1: Bytes_b3aa12e7_T°, N75: bool°, N76: Bytes_b3aa12e7_T° + var N76: D$8d64a7ad_b3aa12e7_ + var N75: Bool + var ts_V1: D$8d64a7ad_b3aa12e7_ + var request_V1: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var N74: Bool + var N73: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var b_V1: D$8d64a7ad_b3aa12e7_ + var msg_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N70: D$fe170ee1_c3672ae3_ + var N69: D$9084e2f5_1186dc0d_ + var N68: Bool + var N67: Slice[Ref] + var pp_V1: D$9084e2f5_1186dc0d_ + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = responder_V0_CN0.getRid() + rid_V1 := getRid_22e24f7d_PMResponder(responder_V0_CN0) + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = responder_V0_CN0.getPP() + pp_V1 := getPP_22e24f7d_PMResponder(responder_V0_CN0) + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4)) + unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4), write) + + // unfold acc(phiRF_Resp_9_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4)) + unfold acc(phiRF_Resp_9_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4), write) + + // N67, N68, N69, N70 = &*responder_V0_CN0.LibStateAReceive(t_V0_CN3, rid_V1) + N67, N68, N69, N70 := Receive_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), t_V0_CN3, rid_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // init msg_V1 + inhale msg_V1 == dfltD$9084e2f5_1186dc0d_() + + // packet_V1 = N67 + packet_V1 := N67 + + // ok_V0_CN5 = N68 + ok_V0_CN5 := N68 + + // msg_V1 = N69 + msg_V1 := N69 + + // t1_V0_CN7 = N70 + t1_V0_CN7 := N70 + + // s1_V0_CN8 = s_V0_CN4 union mset[Fact_3e61b158_T] { InFact_Resp_3e61b158_F(rid_V1, msg_V1) } + s1_V0_CN8 := (s_V0_CN4 union Multiset(InFact_Resp_3e61b158_F(rid_V1, msg_V1))) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // init b_V1 + inhale b_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // b_V1 = Abs_c7a67a88_F(packet_V1) + b_V1 := Abs_c7a67a88_F(packet_V1) + + // N73, N74 = UnmarshalRequest_c7a67a88_F(packet_V1) + N73, N74 := UnmarshalRequest_c7a67a88_F(packet_V1) + + // init request_V1 + inhale request_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // request_V1 = N73 + request_V1 := N73 + + // ok_V0_CN5 = N74 + ok_V0_CN5 := N74 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // BeforeConsume_L + label BeforeConsume_L + + // init ts_V1 + inhale ts_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // ts_V1 = dflt[Bytes_b3aa12e7_T] + ts_V1 := dfltD$8d64a7ad_b3aa12e7_() + + // N75, N76 = responder_V0_CN0consumeRequest(hs_V0_CN1, request_V1) + N75, N76 := consumeRequest_22e24f7d_PMResponder(responder_V0_CN0, hs_V0_CN1, request_V1) + + // ok_V0_CN5 = N75 + ok_V0_CN5 := N75 + + // ts_V1 = N76 + ts_V1 := N76 + + // if(ok_V0_CN5) {...} else {...} + if (ok_V0_CN5) { + + // decl sidI_V2: Bytes_b3aa12e7_T°, kR_V2: Bytes_b3aa12e7_T°, pkI_V2: Bytes_b3aa12e7_T°, epkI_V2: Bytes_b3aa12e7_T°, mac1_V2: Bytes_b3aa12e7_T°, mac2_V2: Bytes_b3aa12e7_T°, N93: Term_1186dc0d_T°, N94: Term_1186dc0d_T°, N95: Term_1186dc0d_T°, N96: Term_1186dc0d_T°, N97: Term_1186dc0d_T°, sidIX_V2: Term_1186dc0d_T°, epkIX_V2: Term_1186dc0d_T°, tsX_V2: Term_1186dc0d_T°, mac1X_V2: Term_1186dc0d_T°, mac2X_V2: Term_1186dc0d_T°, Q1sidR_V2: Term_1186dc0d_T°, Q1a_V2: Term_1186dc0d_T°, Q1b_V2: Term_1186dc0d_T°, Q1prologue_V2: Term_1186dc0d_T°, Q1info_V2: Term_1186dc0d_T°, Q1kR_V2: Term_1186dc0d_T°, Q1pkI_V2: Term_1186dc0d_T°, Q1psk_V2: Term_1186dc0d_T°, Q1sidI_V2: Term_1186dc0d_T°, Q1epkI_V2: Term_1186dc0d_T°, Q1timestamp_V2: Term_1186dc0d_T°, Q1mac1I_V2: Term_1186dc0d_T°, Q1mac2I_V2: Term_1186dc0d_T°, l_V2: mset[Fact_3e61b158_T]°, a_V2: mset[Claim_2716b91c_T]°, r_V2: mset[Fact_3e61b158_T]°, N112: Place_c3672ae3_T° + var N112: D$fe170ee1_c3672ae3_ + var r_V2: Multiset[D$226445f2_3e61b158_] + var a_V2: Multiset[D$46be403b_2716b91c_] + var l_V2: Multiset[D$226445f2_3e61b158_] + var Q1mac2I_V2: D$9084e2f5_1186dc0d_ + var Q1mac1I_V2: D$9084e2f5_1186dc0d_ + var Q1timestamp_V2: D$9084e2f5_1186dc0d_ + var Q1epkI_V2: D$9084e2f5_1186dc0d_ + var Q1sidI_V2: D$9084e2f5_1186dc0d_ + var Q1psk_V2: D$9084e2f5_1186dc0d_ + var Q1pkI_V2: D$9084e2f5_1186dc0d_ + var Q1kR_V2: D$9084e2f5_1186dc0d_ + var Q1info_V2: D$9084e2f5_1186dc0d_ + var Q1prologue_V2: D$9084e2f5_1186dc0d_ + var Q1b_V2: D$9084e2f5_1186dc0d_ + var Q1a_V2: D$9084e2f5_1186dc0d_ + var Q1sidR_V2: D$9084e2f5_1186dc0d_ + var mac2X_V2: D$9084e2f5_1186dc0d_ + var mac1X_V2: D$9084e2f5_1186dc0d_ + var tsX_V2: D$9084e2f5_1186dc0d_ + var epkIX_V2: D$9084e2f5_1186dc0d_ + var sidIX_V2: D$9084e2f5_1186dc0d_ + var N97: D$9084e2f5_1186dc0d_ + var N96: D$9084e2f5_1186dc0d_ + var N95: D$9084e2f5_1186dc0d_ + var N94: D$9084e2f5_1186dc0d_ + var N93: D$9084e2f5_1186dc0d_ + var mac2_V2: D$8d64a7ad_b3aa12e7_ + var mac1_V2: D$8d64a7ad_b3aa12e7_ + var epkI_V2: D$8d64a7ad_b3aa12e7_ + var pkI_V2: D$8d64a7ad_b3aa12e7_ + var kR_V2: D$8d64a7ad_b3aa12e7_ + var sidI_V2: D$8d64a7ad_b3aa12e7_ + + // init sidI_V2 + inhale sidI_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // sidI_V2 = getSidI1_22e24f7d_F(hs_V0_CN1) + sidI_V2 := getSidI1_22e24f7d_F(hs_V0_CN1) + + // init kR_V2 + inhale kR_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // kR_V2 = old(getKR_22e24f7d_F(responder_V0_CN0)) + kR_V2 := old(getKR_22e24f7d_F(responder_V0_CN0)) + + // init pkI_V2 + inhale pkI_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // pkI_V2 = old(getPkI_22e24f7d_F(responder_V0_CN0)) + pkI_V2 := old(getPkI_22e24f7d_F(responder_V0_CN0)) + + // init epkI_V2 + inhale epkI_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // epkI_V2 = getEpkI1_22e24f7d_F(hs_V0_CN1) + epkI_V2 := getEpkI1_22e24f7d_F(hs_V0_CN1) + + // init mac1_V2 + inhale mac1_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // mac1_V2 = old[BeforeConsume_L](RequestMac1_c7a67a88_F(request_V1)) + mac1_V2 := old[BeforeConsume_L](RequestMac1_c7a67a88_F(request_V1)) + + // init mac2_V2 + inhale mac2_V2 == dfltD$8d64a7ad_b3aa12e7_() + + // mac2_V2 = old[BeforeConsume_L](RequestMac2_c7a67a88_F(request_V1)) + mac2_V2 := old[BeforeConsume_L](RequestMac2_c7a67a88_F(request_V1)) + + // assert b_V1 == Bytes_M1_68d987ee_F(sidI_V2, kR_V2, pkI_V2, epkI_V2, ts_V1, mac1_V2, mac2_V2) + assert b_V1 == Bytes_M1_68d987ee_F(sidI_V2, kR_V2, pkI_V2, epkI_V2, ts_V1, mac1_V2, mac2_V2) + + // assert getNKey1_22e24f7d_F(hs_V0_CN1) == Bytes_c3_68d987ee_F(kR_V2, pkI_V2, epkI_V2) + assert getNKey1_22e24f7d_F(hs_V0_CN1) == Bytes_c3_68d987ee_F(kR_V2, pkI_V2, epkI_V2) + + // assert getNHash1_22e24f7d_F(hs_V0_CN1) == Bytes_h4_68d987ee_F(kR_V2, pkI_V2, epkI_V2, ts_V1) + assert getNHash1_22e24f7d_F(hs_V0_CN1) == Bytes_h4_68d987ee_F(kR_V2, pkI_V2, epkI_V2, ts_V1) + + // N93, N94, N95, N96, N97 = patternProperty3_8142c2d2_F(rid_V1, pp_V1, v_V0_CN2[0], v_V0_CN2[1], oneTerm_b3aa12e7_F(sidI_V2), oneTerm_b3aa12e7_F(epkI_V2), oneTerm_b3aa12e7_F(ts_V1), oneTerm_b3aa12e7_F(mac1_V2), oneTerm_b3aa12e7_F(mac2_V2), msg_V1, t1_V0_CN7, s1_V0_CN8) + N93, N94, N95, N96, N97 := patternProperty3_8142c2d2_F(rid_V1, pp_V1, v_V0_CN2[0], v_V0_CN2[1], oneTerm_b3aa12e7_F(sidI_V2), oneTerm_b3aa12e7_F(epkI_V2), oneTerm_b3aa12e7_F(ts_V1), oneTerm_b3aa12e7_F(mac1_V2), oneTerm_b3aa12e7_F(mac2_V2), msg_V1, t1_V0_CN7, s1_V0_CN8) + + // init sidIX_V2 + inhale sidIX_V2 == dfltD$9084e2f5_1186dc0d_() + + // init epkIX_V2 + inhale epkIX_V2 == dfltD$9084e2f5_1186dc0d_() + + // init tsX_V2 + inhale tsX_V2 == dfltD$9084e2f5_1186dc0d_() + + // init mac1X_V2 + inhale mac1X_V2 == dfltD$9084e2f5_1186dc0d_() + + // init mac2X_V2 + inhale mac2X_V2 == dfltD$9084e2f5_1186dc0d_() + + // sidIX_V2 = N93 + sidIX_V2 := N93 + + // epkIX_V2 = N94 + epkIX_V2 := N94 + + // tsX_V2 = N95 + tsX_V2 := N95 + + // mac1X_V2 = N96 + mac1X_V2 := N96 + + // mac2X_V2 = N97 + mac2X_V2 := N97 + + // assert msg_V1 == Term_M1_68d987ee_F(sidIX_V2, v_V0_CN2[0], v_V0_CN2[1], epkIX_V2, tsX_V2, mac1X_V2, mac2X_V2) + assert msg_V1 == Term_M1_68d987ee_F(sidIX_V2, v_V0_CN2[0], v_V0_CN2[1], epkIX_V2, tsX_V2, mac1X_V2, mac2X_V2) + + // assert getNKey1_22e24f7d_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_c3_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2)) + assert getNKey1_22e24f7d_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_c3_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2)) + + // assert getNHash1_22e24f7d_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_h4_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2, tsX_V2)) + assert getNHash1_22e24f7d_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_h4_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2, tsX_V2)) + + // init Q1sidR_V2 + inhale Q1sidR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1sidR_V2 = rid_V1 + Q1sidR_V2 := rid_V1 + + // init Q1a_V2 + inhale Q1a_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1a_V2 = getFirst_d2674021_F(pp_V1) + Q1a_V2 := getFirst_d2674021_F(pp_V1) + + // init Q1b_V2 + inhale Q1b_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1b_V2 = getSecond_d2674021_F(pp_V1) + Q1b_V2 := getSecond_d2674021_F(pp_V1) + + // init Q1prologue_V2 + inhale Q1prologue_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1prologue_V2 = getThird_d2674021_F(pp_V1) + Q1prologue_V2 := getThird_d2674021_F(pp_V1) + + // init Q1info_V2 + inhale Q1info_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1info_V2 = getForth_d2674021_F(pp_V1) + Q1info_V2 := getForth_d2674021_F(pp_V1) + + // init Q1kR_V2 + inhale Q1kR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1kR_V2 = v_V0_CN2[0] + Q1kR_V2 := v_V0_CN2[0] + + // init Q1pkI_V2 + inhale Q1pkI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1pkI_V2 = v_V0_CN2[1] + Q1pkI_V2 := v_V0_CN2[1] + + // init Q1psk_V2 + inhale Q1psk_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1psk_V2 = v_V0_CN2[2] + Q1psk_V2 := v_V0_CN2[2] + + // init Q1sidI_V2 + inhale Q1sidI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1sidI_V2 = sidIX_V2 + Q1sidI_V2 := sidIX_V2 + + // init Q1epkI_V2 + inhale Q1epkI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1epkI_V2 = epkIX_V2 + Q1epkI_V2 := epkIX_V2 + + // init Q1timestamp_V2 + inhale Q1timestamp_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1timestamp_V2 = tsX_V2 + Q1timestamp_V2 := tsX_V2 + + // init Q1mac1I_V2 + inhale Q1mac1I_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1mac1I_V2 = mac1X_V2 + Q1mac1I_V2 := mac1X_V2 + + // init Q1mac2I_V2 + inhale Q1mac2I_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q1mac2I_V2 = mac2X_V2 + Q1mac2I_V2 := mac2X_V2 + + // init l_V2 + inhale l_V2 == Multiset[D$226445f2_3e61b158_]() + + // l_V2 = InternalResp1L_d2674021_F(Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2) + l_V2 := InternalResp1L_d2674021_F(Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2) + + // init a_V2 + inhale a_V2 == Multiset[D$46be403b_2716b91c_]() + + // a_V2 = InternalResp1A_d2674021_F(Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2) + a_V2 := InternalResp1A_d2674021_F(Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2) + + // init r_V2 + inhale r_V2 == Multiset[D$226445f2_3e61b158_]() + + // r_V2 = InternalResp1R_d2674021_F(Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2) + r_V2 := InternalResp1R_d2674021_F(Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiR_Resp_0_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiR_Resp_0_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // N112 = internBIO_e_Handshake_St_Resp_1_c0f0ff6b_F(t1_V0_CN7, Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2, l_V2, a_V2, r_V2) + N112 := internBIO_e_Handshake_St_Resp_1_c0f0ff6b_F(t1_V0_CN7, Q1sidR_V2, Q1a_V2, Q1b_V2, Q1prologue_V2, Q1info_V2, Q1kR_V2, Q1pkI_V2, Q1psk_V2, Q1sidI_V2, Q1epkI_V2, Q1timestamp_V2, Q1mac1I_V2, Q1mac2I_V2, l_V2, a_V2, r_V2) + + // t1_V0_CN7 = N112 + t1_V0_CN7 := N112 + + // s1_V0_CN8 = U_3e61b158_F(l_V2, r_V2, s1_V0_CN8) + s1_V0_CN8 := U_3e61b158_F(l_V2, r_V2, s1_V0_CN8) + + // v1_V0_CN6 = seq[Term_1186dc0d_T] { 0:sidIX_V2, 5:Term_c3_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2), 1:v_V0_CN2[0], 6:Term_h4_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2, tsX_V2), 2:v_V0_CN2[1], 3:v_V0_CN2[2], 4:epkIX_V2 } + v1_V0_CN6 := Seq(sidIX_V2, v_V0_CN2[0], v_V0_CN2[1], v_V0_CN2[2], epkIX_V2, Term_c3_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2), Term_h4_68d987ee_F(v_V0_CN2[0], v_V0_CN2[1], epkIX_V2, tsX_V2)) + } + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN5 + ok_V0 := ok_V0_CN5 + + // v1_V0 = v1_V0_CN6 + v1_V0 := v1_V0_CN6 + + // t1_V0 = t1_V0_CN7 + t1_V0 := t1_V0_CN7 + + // s1_V0 = s1_V0_CN8 + s1_V0 := s1_V0_CN8 +} + +method consumeRequest_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], request_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) returns (ok_V0: Bool, ts_V0: D$8d64a7ad_b3aa12e7_) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) && (true && acc((ShStructget0of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget1of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of5(hs_V0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of5(hs_V0): Ref).val$_Int, write) && acc((ShStructget4of5(hs_V0): Ref).val$_Slice_Ref, write)) && acc(RequestMem_c7a67a88_F(request_V0), write) + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) + ensures ok_V0 ==> acc(HandshakeMem1_22e24f7d_F(hs_V0), write) + ensures ok_V0 ==> old(RequestAbs_c7a67a88_F(request_V0)) == Bytes_M1_68d987ee_F(getSidI1_22e24f7d_F(hs_V0), getKR_22e24f7d_F(responder_V0), getPkI_22e24f7d_F(responder_V0), getEpkI1_22e24f7d_F(hs_V0), ts_V0, old(RequestMac1_c7a67a88_F(request_V0)), old(RequestMac2_c7a67a88_F(request_V0))) + ensures ok_V0 ==> getNKey1_22e24f7d_F(hs_V0) == Bytes_c3_68d987ee_F(getKR_22e24f7d_F(responder_V0), getPkI_22e24f7d_F(responder_V0), getEpkI1_22e24f7d_F(hs_V0)) + ensures ok_V0 ==> getNHash1_22e24f7d_F(hs_V0) == Bytes_h4_68d987ee_F(getKR_22e24f7d_F(responder_V0), getPkI_22e24f7d_F(responder_V0), getEpkI1_22e24f7d_F(hs_V0), ts_V0) +{ + inhale ok_V0 == false + inhale ts_V0 == dfltD$8d64a7ad_b3aa12e7_() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, request_V0_CN2: *Request_c7a67a88_T°, ok_V0_CN3: bool°, ts_V0_CN4: Bytes_b3aa12e7_T° + var ts_V0_CN4: D$8d64a7ad_b3aa12e7_ + var ok_V0_CN3: Bool + var request_V0_CN2: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init request_V0_CN2 + inhale request_V0_CN2 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_StaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_TimestampA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init ok_V0_CN3 + inhale ok_V0_CN3 == false + + // init ts_V0_CN4 + inhale ts_V0_CN4 == dfltD$8d64a7ad_b3aa12e7_() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // request_V0_CN2 = request_V0 + request_V0_CN2 := request_V0 + + // decl args_V1: *HandshakeArguments_c7a67a88_T°, kR_V1: Bytes_b3aa12e7_T°, pkI_V1: Bytes_b3aa12e7_T°, epkI_V1: Bytes_b3aa12e7_T°, N26: ByteString_c7a67a88_T°, N27: ByteString_c7a67a88_T°, chainKey_V1: ByteString_c7a67a88_T°, N30: ByteString_c7a67a88_T°, chainHash_V1: ByteString_c7a67a88_T°, N31: ByteString_c7a67a88_T°, N40: ByteString_c7a67a88_T°, ss_V1: ByteString_c7a67a88_T°, N42: ByteString_c7a67a88_T°, key_V1: ByteString_c7a67a88_T°, N47: ByteString_c7a67a88_T°, N48: ByteString_c7a67a88_T°, N49: bool°, peerPK_V1: ByteString_c7a67a88_T°, N55: ByteString_c7a67a88_T°, sharedStatic_V1: ByteString_c7a67a88_T°, N61: ByteString_c7a67a88_T°, N62: ByteString_c7a67a88_T°, N63: ByteString_c7a67a88_T°, N64: ByteString_c7a67a88_T°, N65: bool° + var N65: Bool + var N64: Slice[Ref] + var N63: Slice[Ref] + var N62: Slice[Ref] + var N61: Slice[Ref] + var sharedStatic_V1: Slice[Ref] + var N55: Slice[Ref] + var peerPK_V1: Slice[Ref] + var N49: Bool + var N48: Slice[Ref] + var N47: Slice[Ref] + var key_V1: Slice[Ref] + var N42: Slice[Ref] + var ss_V1: Slice[Ref] + var N40: Slice[Ref] + var N31: Slice[Ref] + var chainHash_V1: Slice[Ref] + var N30: Slice[Ref] + var chainKey_V1: Slice[Ref] + var N27: Slice[Ref] + var N26: Slice[Ref] + var epkI_V1: D$8d64a7ad_b3aa12e7_ + var pkI_V1: D$8d64a7ad_b3aa12e7_ + var kR_V1: D$8d64a7ad_b3aa12e7_ + var args_V1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // init args_V1 + inhale args_V1 == shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // args_V1 = &*responder_V0_CN0.HandshakeInfoA + args_V1 := (ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref]) + + // unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // unfold acc(RequestMem_c7a67a88_F(request_V0_CN2)) + unfold acc(RequestMem_c7a67a88_F(request_V0_CN2), write) + + // init kR_V1 + inhale kR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // kR_V1 = Abs_c7a67a88_F(*args_V1.PrivateKeyA) + kR_V1 := Abs_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref) + + // init pkI_V1 + inhale pkI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // pkI_V1 = Abs_c7a67a88_F(*args_V1.RemoteStaticA) + pkI_V1 := Abs_c7a67a88_F((ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // init epkI_V1 + inhale epkI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // epkI_V1 = Abs_c7a67a88_F(*request_V0_CN2.EphemeralA) + epkI_V1 := Abs_c7a67a88_F((ShStructget2of7(request_V0_CN2): Ref).val$_Slice_Ref) + + // ok_V0_CN3 = *request_V0_CN2.TypeA == 1 + ok_V0_CN3 := (ShStructget0of7(request_V0_CN2): Ref).val$_Int == 1 + + // if(!ok_V0_CN3) {...} else {...} + if (!ok_V0_CN3) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // N26 = WireGuardBytes_c7a67a88_F() + N26 := WireGuardBytes_c7a67a88_F() + + // N27 = ComputeSingleHash_c7a67a88_F(N26) + N27 := ComputeSingleHash_c7a67a88_F(N26) + + // init chainKey_V1 + inhale chainKey_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // chainKey_V1 = N27 + chainKey_V1 := N27 + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c0_68d987ee_F() + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c0_68d987ee_F() + + // N30 = NewByteString_c7a67a88_F(32) + N30 := NewByteString_c7a67a88_F(32) + + // init chainHash_V1 + inhale chainHash_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // chainHash_V1 = N30 + chainHash_V1 := N30 + + // N31 = PreludeBytes_c7a67a88_F() + N31 := PreludeBytes_c7a67a88_F() + + // ComputeHash_c7a67a88_F(chainHash_V1, chainKey_V1, N31) + ComputeHash_c7a67a88_F(chainHash_V1, chainKey_V1, N31) + + // assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h0_68d987ee_F() + assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h0_68d987ee_F() + + // ComputeHashInplace_c7a67a88_F(chainHash_V1, *args_V1.LocalStaticA) + ComputeHashInplace_c7a67a88_F(chainHash_V1, (ShStructget3of5(args_V1): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h1_68d987ee_F(kR_V1) + assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h1_68d987ee_F(kR_V1) + + // ComputeHashInplace_c7a67a88_F(chainHash_V1, *request_V0_CN2.EphemeralA) + ComputeHashInplace_c7a67a88_F(chainHash_V1, (ShStructget2of7(request_V0_CN2): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h2_68d987ee_F(kR_V1, epkI_V1) + assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h2_68d987ee_F(kR_V1, epkI_V1) + + // ComputeKDF1Inplace_c7a67a88_F(chainKey_V1, *request_V0_CN2.EphemeralA) + ComputeKDF1Inplace_c7a67a88_F(chainKey_V1, (ShStructget2of7(request_V0_CN2): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c1_68d987ee_F(epkI_V1) + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c1_68d987ee_F(epkI_V1) + + // N40 = ComputeSharedSecret_c7a67a88_F(*args_V1.PrivateKeyA, *request_V0_CN2.EphemeralA) + N40 := ComputeSharedSecret_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref, (ShStructget2of7(request_V0_CN2): Ref).val$_Slice_Ref) + + // init ss_V1 + inhale ss_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ss_V1 = N40 + ss_V1 := N40 + + // decl N41: bool° + var N41: Bool + + // N41 = IsZero_c7a67a88_F(ss_V1) + N41 := IsZero_c7a67a88_F(ss_V1) + + // if(N41) {...} else {...} + if (N41) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // ok_V0_CN3 = false + ok_V0_CN3 := false + + // ts_V0_CN4 = ts_V0_CN4 + ts_V0_CN4 := ts_V0_CN4 + + // return + goto returnLabel + } + + // N42 = NewByteString_c7a67a88_F(32) + N42 := NewByteString_c7a67a88_F(32) + + // init key_V1 + inhale key_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // key_V1 = N42 + key_V1 := N42 + + // ComputeKDF2Inplace_c7a67a88_F(key_V1, chainKey_V1, ss_V1) + ComputeKDF2Inplace_c7a67a88_F(key_V1, chainKey_V1, ss_V1) + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c2_68d987ee_F(kR_V1, epkI_V1) + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c2_68d987ee_F(kR_V1, epkI_V1) + + // assert Abs_c7a67a88_F(key_V1) == Bytes_k1_68d987ee_F(kR_V1, epkI_V1) + assert Abs_c7a67a88_F(key_V1) == Bytes_k1_68d987ee_F(kR_V1, epkI_V1) + + // N47 = ZeroNonce_c7a67a88_F() + N47 := ZeroNonce_c7a67a88_F() + + // N48, N49 = AeadDec_c7a67a88_F(key_V1, N47, *request_V0_CN2.StaticA, chainHash_V1) + N48, N49 := AeadDec_c7a67a88_F(key_V1, N47, (ShStructget3of7(request_V0_CN2): Ref).val$_Slice_Ref, chainHash_V1) + + // init peerPK_V1 + inhale peerPK_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // peerPK_V1 = N48 + peerPK_V1 := N48 + + // ok_V0_CN3 = N49 + ok_V0_CN3 := N49 + + // if(!ok_V0_CN3) {...} else {...} + if (!ok_V0_CN3) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // ComputeHashInplace_c7a67a88_F(chainHash_V1, *request_V0_CN2.StaticA) + ComputeHashInplace_c7a67a88_F(chainHash_V1, (ShStructget3of7(request_V0_CN2): Ref).val$_Slice_Ref) + + // decl N50: bool° + var N50: Bool + + // N50 = EqualsSlice_c7a67a88_F(*args_V1.RemoteStaticA, peerPK_V1) + N50 := EqualsSlice_c7a67a88_F((ShStructget4of5(args_V1): Ref).val$_Slice_Ref, peerPK_V1) + + // if(!N50) {...} else {...} + if (!N50) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // ok_V0_CN3 = false + ok_V0_CN3 := false + + // ts_V0_CN4 = ts_V0_CN4 + ts_V0_CN4 := ts_V0_CN4 + + // return + goto returnLabel + } + + // assert Abs_c7a67a88_F(*request_V0_CN2.StaticA) == Bytes_c_pkI_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + assert Abs_c7a67a88_F((ShStructget3of7(request_V0_CN2): Ref).val$_Slice_Ref) == Bytes_c_pkI_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + + // assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h3_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h3_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + + // N55 = ComputeSharedSecret_c7a67a88_F(*args_V1.PrivateKeyA, *args_V1.RemoteStaticA) + N55 := ComputeSharedSecret_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref, (ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // init sharedStatic_V1 + inhale sharedStatic_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // sharedStatic_V1 = N55 + sharedStatic_V1 := N55 + + // decl N56: bool° + var N56: Bool + + // N56 = IsZero_c7a67a88_F(sharedStatic_V1) + N56 := IsZero_c7a67a88_F(sharedStatic_V1) + + // if(N56) {...} else {...} + if (N56) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // ok_V0_CN3 = false + ok_V0_CN3 := false + + // ts_V0_CN4 = ts_V0_CN4 + ts_V0_CN4 := ts_V0_CN4 + + // return + goto returnLabel + } + + // ComputeKDF2Inplace_c7a67a88_F(key_V1, chainKey_V1, sharedStatic_V1) + ComputeKDF2Inplace_c7a67a88_F(key_V1, chainKey_V1, sharedStatic_V1) + + // assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c3_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + assert Abs_c7a67a88_F(chainKey_V1) == Bytes_c3_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + + // assert Abs_c7a67a88_F(key_V1) == Bytes_k2_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + assert Abs_c7a67a88_F(key_V1) == Bytes_k2_68d987ee_F(kR_V1, pkI_V1, epkI_V1) + + // N63 = ZeroNonce_c7a67a88_F() + N63 := ZeroNonce_c7a67a88_F() + + // N64, N65 = AeadDec_c7a67a88_F(key_V1, N63, *request_V0_CN2.TimestampA, chainHash_V1) + N64, N65 := AeadDec_c7a67a88_F(key_V1, N63, (ShStructget4of7(request_V0_CN2): Ref).val$_Slice_Ref, chainHash_V1) + + // N62 = N64 + N62 := N64 + + // ok_V0_CN3 = N65 + ok_V0_CN3 := N65 + + // if(!ok_V0_CN3) {...} else {...} + if (!ok_V0_CN3) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // ts_V0_CN4 = decryptB_b3aa12e7_F(Abs_c7a67a88_F(key_V1), zeroStringB_b3aa12e7_F(12), Abs_c7a67a88_F(*request_V0_CN2.TimestampA)) + ts_V0_CN4 := decryptB_b3aa12e7_F(Abs_c7a67a88_F(key_V1), zeroStringB_b3aa12e7_F(12), Abs_c7a67a88_F((ShStructget4of7(request_V0_CN2): Ref).val$_Slice_Ref)) + + // assert Abs_c7a67a88_F(*request_V0_CN2.TimestampA) == Bytes_c_ts_68d987ee_F(kR_V1, pkI_V1, epkI_V1, ts_V0_CN4) + assert Abs_c7a67a88_F((ShStructget4of7(request_V0_CN2): Ref).val$_Slice_Ref) == Bytes_c_ts_68d987ee_F(kR_V1, pkI_V1, epkI_V1, ts_V0_CN4) + + // ComputeHashInplace_c7a67a88_F(chainHash_V1, *request_V0_CN2.TimestampA) + ComputeHashInplace_c7a67a88_F(chainHash_V1, (ShStructget4of7(request_V0_CN2): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h4_68d987ee_F(kR_V1, pkI_V1, epkI_V1, ts_V0_CN4) + assert Abs_c7a67a88_F(chainHash_V1) == Bytes_h4_68d987ee_F(kR_V1, pkI_V1, epkI_V1, ts_V0_CN4) + + // *hs_V0_CN1.ChainHashA = chainHash_V1 + (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref := chainHash_V1 + + // *hs_V0_CN1.ChainKeyA = chainKey_V1 + (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref := chainKey_V1 + + // *hs_V0_CN1.RemoteIndexA = *request_V0_CN2.SenderA + (ShStructget3of5(hs_V0_CN1): Ref).val$_Int := (ShStructget1of7(request_V0_CN2): Ref).val$_Int + + // *hs_V0_CN1.RemoteEphemeralA = *request_V0_CN2.EphemeralA + (ShStructget4of5(hs_V0_CN1): Ref).val$_Slice_Ref := (ShStructget2of7(request_V0_CN2): Ref).val$_Slice_Ref + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // fold acc(HandshakeMem1_22e24f7d_F(hs_V0_CN1)) + fold acc(HandshakeMem1_22e24f7d_F(hs_V0_CN1), write) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN3 + ok_V0 := ok_V0_CN3 + + // ts_V0 = ts_V0_CN4 + ts_V0 := ts_V0_CN4 +} + +method sendResponse_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], v_V0: Seq[D$9084e2f5_1186dc0d_], t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, v1_V0: Seq[D$9084e2f5_1186dc0d_], t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 4) && acc(HandshakeMem1_22e24f7d_F(hs_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, getRid_22e24f7d_PMResponder(responder_V0), s_V0), write) + requires |v_V0| == 7 + requires 0 < ((St_Resp_1_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[2], v_V0[1], v_V0[4], v_V0[3], v_V0[5], v_V0[6], v_V0[0]) in s_V0)) + requires gamma_b3aa12e7_F(v_V0[0]) == getSidI1_22e24f7d_F(hs_V0) && gamma_b3aa12e7_F(v_V0[1]) == getKR_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[2]) == getPkI_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[3]) == getPsk_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[4]) == getEpkI1_22e24f7d_F(hs_V0) && gamma_b3aa12e7_F(v_V0[5]) == getNKey1_22e24f7d_F(hs_V0) && gamma_b3aa12e7_F(v_V0[6]) == getNHash1_22e24f7d_F(hs_V0) + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 4) + ensures ok_V0 ==> acc(HandshakeMem2_22e24f7d_F(hs_V0), write) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && acc(P_Resp_c0f0ff6b_F(t1_V0, getRid_22e24f7d_PMResponder(responder_V0), s1_V0), write) + ensures ok_V0 ==> |v1_V0| == 5 + ensures ok_V0 ==> 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v1_V0[0], kdf1__d2674021_F(v1_V0[4]), kdf2__d2674021_F(v1_V0[4])) in s1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(v1_V0[0]) == getSidI2_22e24f7d_F(hs_V0) && gamma_b3aa12e7_F(v1_V0[1]) == getKR_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[2]) == getPkI_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[3]) == getPsk_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v1_V0[4]) == getNKey2_22e24f7d_F(hs_V0) +{ + inhale ok_V0 == false + inhale v1_V0 == Seq[D$9084e2f5_1186dc0d_]() + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, v_V0_CN2: seq[Term_1186dc0d_T]°, t_V0_CN3: Place_c3672ae3_T°, s_V0_CN4: mset[Fact_3e61b158_T]°, ok_V0_CN5: bool°, v1_V0_CN6: seq[Term_1186dc0d_T]°, t1_V0_CN7: Place_c3672ae3_T°, s1_V0_CN8: mset[Fact_3e61b158_T]° + var s1_V0_CN8: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN7: D$fe170ee1_c3672ae3_ + var v1_V0_CN6: Seq[D$9084e2f5_1186dc0d_] + var ok_V0_CN5: Bool + var s_V0_CN4: Multiset[D$226445f2_3e61b158_] + var t_V0_CN3: D$fe170ee1_c3672ae3_ + var v_V0_CN2: Seq[D$9084e2f5_1186dc0d_] + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init v_V0_CN2 + inhale v_V0_CN2 == Seq[D$9084e2f5_1186dc0d_]() + + // init t_V0_CN3 + inhale t_V0_CN3 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN4 + inhale s_V0_CN4 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN5 + inhale ok_V0_CN5 == false + + // init v1_V0_CN6 + inhale v1_V0_CN6 == Seq[D$9084e2f5_1186dc0d_]() + + // init t1_V0_CN7 + inhale t1_V0_CN7 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN8 + inhale s1_V0_CN8 == Multiset[D$226445f2_3e61b158_]() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // v_V0_CN2 = v_V0 + v_V0_CN2 := v_V0 + + // t_V0_CN3 = t_V0 + t_V0_CN3 := t_V0 + + // s_V0_CN4 = s_V0 + s_V0_CN4 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, pp_V1: Term_1186dc0d_T°, ekRT_V1: Term_1186dc0d_T°, N60: ByteString_c7a67a88_T°, N61: bool°, N62: Place_c3672ae3_T°, newPk_V1: ByteString_c7a67a88_T°, ekR_V1: Bytes_b3aa12e7_T°, sidI_V1: Bytes_b3aa12e7_T°, sidR_V1: Bytes_b3aa12e7_T°, sidRT_V1: Term_1186dc0d_T°, pkI_V1: Bytes_b3aa12e7_T°, psk_V1: Bytes_b3aa12e7_T°, epkI_V1: Bytes_b3aa12e7_T°, c3_V1: Bytes_b3aa12e7_T°, h4_V1: Bytes_b3aa12e7_T°, N72: *Response_c7a67a88_T°, N73: bool°, response_V1: *Response_c7a67a88_T°, N74: ByteString_c7a67a88_T°, packet_V1: ByteString_c7a67a88_T°, mac1T_V1: Term_1186dc0d_T°, N79: Bytes_b3aa12e7_T°, N80: Place_c3672ae3_T°, mac1_V1: Bytes_b3aa12e7_T°, mac2T_V1: Term_1186dc0d_T°, N85: Bytes_b3aa12e7_T°, N86: Place_c3672ae3_T°, mac2_V1: Bytes_b3aa12e7_T°, msg_V1: Term_1186dc0d_T°, Q2sidR_V1: Term_1186dc0d_T°, Q2a_V1: Term_1186dc0d_T°, Q2b_V1: Term_1186dc0d_T°, Q2prologue_V1: Term_1186dc0d_T°, Q2info_V1: Term_1186dc0d_T°, Q2pkI_V1: Term_1186dc0d_T°, Q2kR_V1: Term_1186dc0d_T°, Q2epkI_V1: Term_1186dc0d_T°, Q2psk_V1: Term_1186dc0d_T°, Q2c3_V1: Term_1186dc0d_T°, Q2h4_V1: Term_1186dc0d_T°, Q2sidI_V1: Term_1186dc0d_T°, Q2ekR_V1: Term_1186dc0d_T°, Q2mac1R_V1: Term_1186dc0d_T°, Q2mac2R_V1: Term_1186dc0d_T°, l_V1: mset[Fact_3e61b158_T]°, a_V1: mset[Claim_2716b91c_T]°, r_V1: mset[Fact_3e61b158_T]°, N174: Place_c3672ae3_T°, N179: bool°, N180: Place_c3672ae3_T° + var N180: D$fe170ee1_c3672ae3_ + var N179: Bool + var N174: D$fe170ee1_c3672ae3_ + var r_V1: Multiset[D$226445f2_3e61b158_] + var a_V1: Multiset[D$46be403b_2716b91c_] + var l_V1: Multiset[D$226445f2_3e61b158_] + var Q2mac2R_V1: D$9084e2f5_1186dc0d_ + var Q2mac1R_V1: D$9084e2f5_1186dc0d_ + var Q2ekR_V1: D$9084e2f5_1186dc0d_ + var Q2sidI_V1: D$9084e2f5_1186dc0d_ + var Q2h4_V1: D$9084e2f5_1186dc0d_ + var Q2c3_V1: D$9084e2f5_1186dc0d_ + var Q2psk_V1: D$9084e2f5_1186dc0d_ + var Q2epkI_V1: D$9084e2f5_1186dc0d_ + var Q2kR_V1: D$9084e2f5_1186dc0d_ + var Q2pkI_V1: D$9084e2f5_1186dc0d_ + var Q2info_V1: D$9084e2f5_1186dc0d_ + var Q2prologue_V1: D$9084e2f5_1186dc0d_ + var Q2b_V1: D$9084e2f5_1186dc0d_ + var Q2a_V1: D$9084e2f5_1186dc0d_ + var Q2sidR_V1: D$9084e2f5_1186dc0d_ + var msg_V1: D$9084e2f5_1186dc0d_ + var mac2_V1: D$8d64a7ad_b3aa12e7_ + var N86: D$fe170ee1_c3672ae3_ + var N85: D$8d64a7ad_b3aa12e7_ + var mac2T_V1: D$9084e2f5_1186dc0d_ + var mac1_V1: D$8d64a7ad_b3aa12e7_ + var N80: D$fe170ee1_c3672ae3_ + var N79: D$8d64a7ad_b3aa12e7_ + var mac1T_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N74: Slice[Ref] + var response_V1: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var N73: Bool + var N72: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var h4_V1: D$8d64a7ad_b3aa12e7_ + var c3_V1: D$8d64a7ad_b3aa12e7_ + var epkI_V1: D$8d64a7ad_b3aa12e7_ + var psk_V1: D$8d64a7ad_b3aa12e7_ + var pkI_V1: D$8d64a7ad_b3aa12e7_ + var sidRT_V1: D$9084e2f5_1186dc0d_ + var sidR_V1: D$8d64a7ad_b3aa12e7_ + var sidI_V1: D$8d64a7ad_b3aa12e7_ + var ekR_V1: D$8d64a7ad_b3aa12e7_ + var newPk_V1: Slice[Ref] + var N62: D$fe170ee1_c3672ae3_ + var N61: Bool + var N60: Slice[Ref] + var ekRT_V1: D$9084e2f5_1186dc0d_ + var pp_V1: D$9084e2f5_1186dc0d_ + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = responder_V0_CN0.getRid() + rid_V1 := getRid_22e24f7d_PMResponder(responder_V0_CN0) + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = responder_V0_CN0.getPP() + pp_V1 := getPP_22e24f7d_PMResponder(responder_V0_CN0) + + // unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4)) + unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4), write) + + // unfold acc(phiRF_Resp_10_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4)) + unfold acc(phiRF_Resp_10_c0f0ff6b_F(t_V0_CN3, rid_V1, s_V0_CN4), write) + + // init ekRT_V1 + inhale ekRT_V1 == dfltD$9084e2f5_1186dc0d_() + + // ekRT_V1 = get_e_FrFact_r1_c0f0ff6b_F(t_V0_CN3, rid_V1) + ekRT_V1 := get_e_FrFact_r1_c0f0ff6b_F(t_V0_CN3, rid_V1) + + // N60, N61, N62 = NewPrivateKey_c7a67a88_F(t_V0_CN3, rid_V1) + N60, N61, N62 := NewPrivateKey_c7a67a88_F(t_V0_CN3, rid_V1) + + // init newPk_V1 + inhale newPk_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // newPk_V1 = N60 + newPk_V1 := N60 + + // ok_V0_CN5 = N61 + ok_V0_CN5 := N61 + + // t1_V0_CN7 = N62 + t1_V0_CN7 := N62 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // s1_V0_CN8 = s_V0_CN4 union mset[Fact_3e61b158_T] { FrFact_Resp_3e61b158_F(rid_V1, ekRT_V1) } + s1_V0_CN8 := (s_V0_CN4 union Multiset(FrFact_Resp_3e61b158_F(rid_V1, ekRT_V1))) + + // init ekR_V1 + inhale ekR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // ekR_V1 = Abs_c7a67a88_F(newPk_V1) + ekR_V1 := Abs_c7a67a88_F(newPk_V1) + + // init sidI_V1 + inhale sidI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // sidI_V1 = old(getSidI1_22e24f7d_F(hs_V0_CN1)) + sidI_V1 := old(getSidI1_22e24f7d_F(hs_V0_CN1)) + + // init sidR_V1 + inhale sidR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // init sidRT_V1 + inhale sidRT_V1 == dfltD$9084e2f5_1186dc0d_() + + // sidR_V1 = old(getSidR_22e24f7d_F(responder_V0_CN0)) + sidR_V1 := old(getSidR_22e24f7d_F(responder_V0_CN0)) + + // sidRT_V1 = rid_V1 + sidRT_V1 := rid_V1 + + // init pkI_V1 + inhale pkI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // pkI_V1 = old(getPkI_22e24f7d_F(responder_V0_CN0)) + pkI_V1 := old(getPkI_22e24f7d_F(responder_V0_CN0)) + + // init psk_V1 + inhale psk_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // psk_V1 = old(getPsk_22e24f7d_F(responder_V0_CN0)) + psk_V1 := old(getPsk_22e24f7d_F(responder_V0_CN0)) + + // init epkI_V1 + inhale epkI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // epkI_V1 = old(getEpkI1_22e24f7d_F(hs_V0_CN1)) + epkI_V1 := old(getEpkI1_22e24f7d_F(hs_V0_CN1)) + + // init c3_V1 + inhale c3_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // c3_V1 = old(getNKey1_22e24f7d_F(hs_V0_CN1)) + c3_V1 := old(getNKey1_22e24f7d_F(hs_V0_CN1)) + + // init h4_V1 + inhale h4_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // h4_V1 = old(getNHash1_22e24f7d_F(hs_V0_CN1)) + h4_V1 := old(getNHash1_22e24f7d_F(hs_V0_CN1)) + + // N72, N73 = responder_V0_CN0createResponse(hs_V0_CN1, newPk_V1) + N72, N73 := createResponse_22e24f7d_PMResponder(responder_V0_CN0, hs_V0_CN1, newPk_V1) + + // init response_V1 + inhale response_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_EmptyA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // response_V1 = N72 + response_V1 := N72 + + // ok_V0_CN5 = N73 + ok_V0_CN5 := N73 + + // if(!ok_V0_CN5) {...} else {...} + if (!ok_V0_CN5) { + + // decl + + // return + goto returnLabel + } + + // N74 = MarshalResponse_c7a67a88_F(response_V1) + N74 := MarshalResponse_c7a67a88_F(response_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // packet_V1 = N74 + packet_V1 := N74 + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiRF_Resp_11_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiRF_Resp_11_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // init mac1T_V1 + inhale mac1T_V1 == dfltD$9084e2f5_1186dc0d_() + + // mac1T_V1 = get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN7, rid_V1) + mac1T_V1 := get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN7, rid_V1) + + // N79, N80 = &*responder_V0_CN0.LibStateAAddMac1(packet_V1, Bytes_M2_68d987ee_F(sidI_V1, sidR_V1, pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1, zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)), t1_V0_CN7, rid_V1) + N79, N80 := AddMac1_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, Bytes_M2_68d987ee_F(sidI_V1, sidR_V1, pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1, zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)), t1_V0_CN7, rid_V1) + + // init mac1_V1 + inhale mac1_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // mac1_V1 = N79 + mac1_V1 := N79 + + // t1_V0_CN7 = N80 + t1_V0_CN7 := N80 + + // s1_V0_CN8 = s1_V0_CN8 union mset[Fact_3e61b158_T] { MAC_Resp_3e61b158_F(rid_V1, mac1T_V1) } + s1_V0_CN8 := (s1_V0_CN8 union Multiset(MAC_Resp_3e61b158_F(rid_V1, mac1T_V1))) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiRF_Resp_11_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiRF_Resp_11_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // init mac2T_V1 + inhale mac2T_V1 == dfltD$9084e2f5_1186dc0d_() + + // mac2T_V1 = get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN7, rid_V1) + mac2T_V1 := get_e_MAC_r1_c0f0ff6b_F(t1_V0_CN7, rid_V1) + + // N85, N86 = &*responder_V0_CN0.LibStateAAddMac2(packet_V1, Bytes_M2_68d987ee_F(sidI_V1, sidR_V1, pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1, mac1_V1, zeroStringB_b3aa12e7_F(16)), t1_V0_CN7, rid_V1) + N85, N86 := AddMac2_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, Bytes_M2_68d987ee_F(sidI_V1, sidR_V1, pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1, mac1_V1, zeroStringB_b3aa12e7_F(16)), t1_V0_CN7, rid_V1) + + // init mac2_V1 + inhale mac2_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // mac2_V1 = N85 + mac2_V1 := N85 + + // t1_V0_CN7 = N86 + t1_V0_CN7 := N86 + + // s1_V0_CN8 = s1_V0_CN8 union mset[Fact_3e61b158_T] { MAC_Resp_3e61b158_F(rid_V1, mac2T_V1) } + s1_V0_CN8 := (s1_V0_CN8 union Multiset(MAC_Resp_3e61b158_F(rid_V1, mac2T_V1))) + + // assert Abs_c7a67a88_F(packet_V1) == Bytes_M2_68d987ee_F(sidI_V1, sidR_V1, pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1, mac1_V1, mac2_V1) + assert Abs_c7a67a88_F(packet_V1) == Bytes_M2_68d987ee_F(sidI_V1, sidR_V1, pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1, mac1_V1, mac2_V1) + + // assert getNKey2_22e24f7d_F(hs_V0_CN1) == Bytes_c7_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + assert getNKey2_22e24f7d_F(hs_V0_CN1) == Bytes_c7_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + + // init msg_V1 + inhale msg_V1 == dfltD$9084e2f5_1186dc0d_() + + // msg_V1 = Term_M2_68d987ee_F(v_V0_CN2[0], sidRT_V1, v_V0_CN2[2], v_V0_CN2[3], v_V0_CN2[4], v_V0_CN2[5], v_V0_CN2[6], ekRT_V1, mac1T_V1, mac2T_V1) + msg_V1 := Term_M2_68d987ee_F(v_V0_CN2[0], sidRT_V1, v_V0_CN2[2], v_V0_CN2[3], v_V0_CN2[4], v_V0_CN2[5], v_V0_CN2[6], ekRT_V1, mac1T_V1, mac2T_V1) + + // assert Abs_c7a67a88_F(packet_V1) == gamma_b3aa12e7_F(msg_V1) + assert Abs_c7a67a88_F(packet_V1) == gamma_b3aa12e7_F(msg_V1) + + // assert getNKey2_22e24f7d_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_c7_68d987ee_F(v_V0_CN2[2], v_V0_CN2[3], v_V0_CN2[4], v_V0_CN2[5], ekRT_V1)) + assert getNKey2_22e24f7d_F(hs_V0_CN1) == gamma_b3aa12e7_F(Term_c7_68d987ee_F(v_V0_CN2[2], v_V0_CN2[3], v_V0_CN2[4], v_V0_CN2[5], ekRT_V1)) + + // init Q2sidR_V1 + inhale Q2sidR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2sidR_V1 = rid_V1 + Q2sidR_V1 := rid_V1 + + // init Q2a_V1 + inhale Q2a_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2a_V1 = getFirst_d2674021_F(pp_V1) + Q2a_V1 := getFirst_d2674021_F(pp_V1) + + // init Q2b_V1 + inhale Q2b_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2b_V1 = getSecond_d2674021_F(pp_V1) + Q2b_V1 := getSecond_d2674021_F(pp_V1) + + // init Q2prologue_V1 + inhale Q2prologue_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2prologue_V1 = getThird_d2674021_F(pp_V1) + Q2prologue_V1 := getThird_d2674021_F(pp_V1) + + // init Q2info_V1 + inhale Q2info_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2info_V1 = getForth_d2674021_F(pp_V1) + Q2info_V1 := getForth_d2674021_F(pp_V1) + + // init Q2pkI_V1 + inhale Q2pkI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2pkI_V1 = v_V0_CN2[2] + Q2pkI_V1 := v_V0_CN2[2] + + // init Q2kR_V1 + inhale Q2kR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2kR_V1 = v_V0_CN2[1] + Q2kR_V1 := v_V0_CN2[1] + + // init Q2epkI_V1 + inhale Q2epkI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2epkI_V1 = v_V0_CN2[4] + Q2epkI_V1 := v_V0_CN2[4] + + // init Q2psk_V1 + inhale Q2psk_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2psk_V1 = v_V0_CN2[3] + Q2psk_V1 := v_V0_CN2[3] + + // init Q2c3_V1 + inhale Q2c3_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2c3_V1 = v_V0_CN2[5] + Q2c3_V1 := v_V0_CN2[5] + + // init Q2h4_V1 + inhale Q2h4_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2h4_V1 = v_V0_CN2[6] + Q2h4_V1 := v_V0_CN2[6] + + // init Q2sidI_V1 + inhale Q2sidI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2sidI_V1 = v_V0_CN2[0] + Q2sidI_V1 := v_V0_CN2[0] + + // init Q2ekR_V1 + inhale Q2ekR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2ekR_V1 = ekRT_V1 + Q2ekR_V1 := ekRT_V1 + + // init Q2mac1R_V1 + inhale Q2mac1R_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2mac1R_V1 = mac1T_V1 + Q2mac1R_V1 := mac1T_V1 + + // init Q2mac2R_V1 + inhale Q2mac2R_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q2mac2R_V1 = mac2T_V1 + Q2mac2R_V1 := mac2T_V1 + + // init l_V1 + inhale l_V1 == Multiset[D$226445f2_3e61b158_]() + + // l_V1 = InternalResp2L_d2674021_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1) + l_V1 := InternalResp2L_d2674021_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1) + + // init a_V1 + inhale a_V1 == Multiset[D$46be403b_2716b91c_]() + + // a_V1 = InternalResp2A_d2674021_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1) + a_V1 := InternalResp2A_d2674021_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1) + + // init r_V1 + inhale r_V1 == Multiset[D$226445f2_3e61b158_]() + + // r_V1 = InternalResp2R_d2674021_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1) + r_V1 := InternalResp2R_d2674021_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiR_Resp_1_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiR_Resp_1_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // assert M_3e61b158_F(l_V1, s1_V0_CN8) + assert M_3e61b158_F(l_V1, s1_V0_CN8) + + // assert l_V1 == mset[Fact_3e61b158_T] { St_Resp_1_3e61b158_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1), FrFact_Resp_3e61b158_F(Q2sidR_V1, Q2ekR_V1), MAC_Resp_3e61b158_F(Q2sidR_V1, Q2mac1R_V1), MAC_Resp_3e61b158_F(Q2sidR_V1, Q2mac2R_V1) } + assert l_V1 == Multiset(St_Resp_1_3e61b158_F(Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1), FrFact_Resp_3e61b158_F(Q2sidR_V1, Q2ekR_V1), MAC_Resp_3e61b158_F(Q2sidR_V1, Q2mac1R_V1), MAC_Resp_3e61b158_F(Q2sidR_V1, Q2mac2R_V1)) + + // assert a_V1 == mset[Claim_2716b91c_T] { Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(Q2a_V1, pair_1186dc0d_F(Q2b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1)))))), SendSIDR_2716b91c_F(Q2sidR_V1), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), Q2sidR_V1, Q2sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(Q2h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1))), Q2mac1R_V1, Q2mac2R_V1)) } + assert a_V1 == Multiset(Running_2716b91c_F(pubTerm_1186dc0d_F(const_Init_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_Resp_pub_db7e1422_F()), pair_1186dc0d_F(Q2a_V1, pair_1186dc0d_F(Q2b_V1, pair_1186dc0d_F(kdf1__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1)), kdf2__1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1)))))), SendSIDR_2716b91c_F(Q2sidR_V1), OutFormat2_2716b91c_F(format2_1186dc0d_F(pubTerm_1186dc0d_F(const_2_pub_db7e1422_F()), Q2sidR_V1, Q2sidI_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1), aead_1186dc0d_F(kdf3_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1), pubTerm_1186dc0d_F(const_0_pub_db7e1422_F()), pubTerm_1186dc0d_F(const_e_pub_db7e1422_F()), h_1186dc0d_F(h_1186dc0d_F(Q2h4_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), kdf2_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(kdf1_1186dc0d_F(Q2c3_V1, exp_1186dc0d_F(pubTerm_1186dc0d_F(const_g_pub_db7e1422_F()), Q2ekR_V1)), exp_1186dc0d_F(Q2epkI_V1, Q2ekR_V1)), exp_1186dc0d_F(Q2pkI_V1, Q2ekR_V1)), Q2psk_V1))), Q2mac1R_V1, Q2mac2R_V1))) + + // assert acc(e_Handshake_St_Resp_2_c0f0ff6b_F(t1_V0_CN7, Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1, l_V1, a_V1, r_V1)) + assert acc(e_Handshake_St_Resp_2_c0f0ff6b_F(t1_V0_CN7, Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1, l_V1, a_V1, r_V1), write) + + // N174 = internBIO_e_Handshake_St_Resp_2_c0f0ff6b_F(t1_V0_CN7, Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1, l_V1, a_V1, r_V1) + N174 := internBIO_e_Handshake_St_Resp_2_c0f0ff6b_F(t1_V0_CN7, Q2sidR_V1, Q2a_V1, Q2b_V1, Q2prologue_V1, Q2info_V1, Q2pkI_V1, Q2kR_V1, Q2epkI_V1, Q2psk_V1, Q2c3_V1, Q2h4_V1, Q2sidI_V1, Q2ekR_V1, Q2mac1R_V1, Q2mac2R_V1, l_V1, a_V1, r_V1) + + // t1_V0_CN7 = N174 + t1_V0_CN7 := N174 + + // s1_V0_CN8 = U_3e61b158_F(l_V1, r_V1, s1_V0_CN8) + s1_V0_CN8 := U_3e61b158_F(l_V1, r_V1, s1_V0_CN8) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // unfold acc(phiRG_Resp_5_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8)) + unfold acc(phiRG_Resp_5_c0f0ff6b_F(t1_V0_CN7, rid_V1, s1_V0_CN8), write) + + // assert 0 < OutFact_Resp_3e61b158_F(rid_V1, msg_V1) in s1_V0_CN8 + assert 0 < ((OutFact_Resp_3e61b158_F(rid_V1, msg_V1) in s1_V0_CN8)) + + // assert acc(token_c3672ae3_F(t1_V0_CN7)) && acc(e_OutFact_c0f0ff6b_F(t1_V0_CN7, rid_V1, msg_V1)) && gamma_b3aa12e7_F(msg_V1) == Abs_c7a67a88_F(packet_V1) + assert acc(token_c3672ae3_F(t1_V0_CN7), write) && acc(e_OutFact_c0f0ff6b_F(t1_V0_CN7, rid_V1, msg_V1), write) && gamma_b3aa12e7_F(msg_V1) == Abs_c7a67a88_F(packet_V1) + + // N179, N180 = &*responder_V0_CN0.LibStateASend(packet_V1, t1_V0_CN7, rid_V1, msg_V1) + N179, N180 := Send_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, t1_V0_CN7, rid_V1, msg_V1) + + // ok_V0_CN5 = N179 + ok_V0_CN5 := N179 + + // t1_V0_CN7 = N180 + t1_V0_CN7 := N180 + + // s1_V0_CN8 = s1_V0_CN8 setminus mset[Fact_3e61b158_T] { OutFact_Resp_3e61b158_F(rid_V1, msg_V1) } + s1_V0_CN8 := (s1_V0_CN8 setminus Multiset(OutFact_Resp_3e61b158_F(rid_V1, msg_V1))) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) + + // v1_V0_CN6 = seq[Term_1186dc0d_T] { 0:v_V0_CN2[0], 1:v_V0_CN2[1], 2:v_V0_CN2[2], 3:v_V0_CN2[3], 4:Term_c7_68d987ee_F(v_V0_CN2[2], v_V0_CN2[3], v_V0_CN2[4], v_V0_CN2[5], ekRT_V1) } + v1_V0_CN6 := Seq(v_V0_CN2[0], v_V0_CN2[1], v_V0_CN2[2], v_V0_CN2[3], Term_c7_68d987ee_F(v_V0_CN2[2], v_V0_CN2[3], v_V0_CN2[4], v_V0_CN2[5], ekRT_V1)) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN5 + ok_V0 := ok_V0_CN5 + + // v1_V0 = v1_V0_CN6 + v1_V0 := v1_V0_CN6 + + // t1_V0 = t1_V0_CN7 + t1_V0 := t1_V0_CN7 + + // s1_V0 = s1_V0_CN8 + s1_V0 := s1_V0_CN8 +} + +method createResponse_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref], newPk_V0: Slice[Ref]) returns (response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) && acc(HandshakeMem1_22e24f7d_F(hs_V0), write) + requires acc(Mem_c7a67a88_F(newPk_V0), write) && Size_c7a67a88_F(newPk_V0) == 32 + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) + ensures ok_V0 ==> acc(ResponseMem_c7a67a88_F(response_V0), write) && acc(HandshakeMem2_22e24f7d_F(hs_V0), write) + ensures ok_V0 ==> ResponseAbs_c7a67a88_F(response_V0) == Bytes_M2_68d987ee_F(old(getSidI1_22e24f7d_F(hs_V0)), getSidR_22e24f7d_F(responder_V0), getPkI_22e24f7d_F(responder_V0), getPsk_22e24f7d_F(responder_V0), old(getEpkI1_22e24f7d_F(hs_V0)), old(getNKey1_22e24f7d_F(hs_V0)), old(getNHash1_22e24f7d_F(hs_V0)), old(Abs_c7a67a88_F(newPk_V0)), zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)) + ensures ok_V0 ==> getSidI2_22e24f7d_F(hs_V0) == old(getSidI1_22e24f7d_F(hs_V0)) && getEpkI2_22e24f7d_F(hs_V0) == old(getEpkI1_22e24f7d_F(hs_V0)) + ensures ok_V0 ==> getNKey2_22e24f7d_F(hs_V0) == Bytes_c7_68d987ee_F(getPkI_22e24f7d_F(responder_V0), getPsk_22e24f7d_F(responder_V0), old(getEpkI1_22e24f7d_F(hs_V0)), old(getNKey1_22e24f7d_F(hs_V0)), old(Abs_c7a67a88_F(newPk_V0))) +{ + inhale response_V0 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_EmptyA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + inhale ok_V0 == false + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, newPk_V0_CN2: ByteString_c7a67a88_T°, response_V0_CN3: *Response_c7a67a88_T°, ok_V0_CN4: bool° + var ok_V0_CN4: Bool + var response_V0_CN3: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var newPk_V0_CN2: Slice[Ref] + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init newPk_V0_CN2 + inhale newPk_V0_CN2 == sliceDefault_Intbyte$$$_S_$$$() + + // init response_V0_CN3 + inhale response_V0_CN3 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_SenderA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_EphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_EmptyA_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC1A_DefinedByteString_c7a67a88_T$$$_S_$$$_MAC2A_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init ok_V0_CN4 + inhale ok_V0_CN4 == false + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // newPk_V0_CN2 = newPk_V0 + newPk_V0_CN2 := newPk_V0 + + // decl args_V1: *HandshakeArguments_c7a67a88_T°, kR_V1: Bytes_b3aa12e7_T°, pkI_V1: Bytes_b3aa12e7_T°, psk_V1: Bytes_b3aa12e7_T°, epkI_V1: Bytes_b3aa12e7_T°, c3_V1: Bytes_b3aa12e7_T°, h4_V1: Bytes_b3aa12e7_T°, ekR_V1: Bytes_b3aa12e7_T°, N36: ByteString_c7a67a88_T°, ephemeral_V1: ByteString_c7a67a88_T°, N45: ByteString_c7a67a88_T°, tau_V1: ByteString_c7a67a88_T°, N46: ByteString_c7a67a88_T°, key_V1: ByteString_c7a67a88_T°, N55: ByteString_c7a67a88_T°, N56: ByteString_c7a67a88_T°, N57: bool°, empty_V1: ByteString_c7a67a88_T°, N60: *Response_c7a67a88_T° + var N60: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var empty_V1: Slice[Ref] + var N57: Bool + var N56: Slice[Ref] + var N55: Slice[Ref] + var key_V1: Slice[Ref] + var N46: Slice[Ref] + var tau_V1: Slice[Ref] + var N45: Slice[Ref] + var ephemeral_V1: Slice[Ref] + var N36: Slice[Ref] + var ekR_V1: D$8d64a7ad_b3aa12e7_ + var h4_V1: D$8d64a7ad_b3aa12e7_ + var c3_V1: D$8d64a7ad_b3aa12e7_ + var epkI_V1: D$8d64a7ad_b3aa12e7_ + var psk_V1: D$8d64a7ad_b3aa12e7_ + var pkI_V1: D$8d64a7ad_b3aa12e7_ + var kR_V1: D$8d64a7ad_b3aa12e7_ + var args_V1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // init args_V1 + inhale args_V1 == shStructDefault_$PresharedKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_PrivateKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalIndexA_Intuint32$$$_S_$$$_LocalStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteStaticA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // args_V1 = &*responder_V0_CN0.HandshakeInfoA + args_V1 := (ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref]) + + // unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + unfold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // unfold acc(HandshakeMem1_22e24f7d_F(hs_V0_CN1)) + unfold acc(HandshakeMem1_22e24f7d_F(hs_V0_CN1), write) + + // init kR_V1 + inhale kR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // kR_V1 = Abs_c7a67a88_F(*args_V1.PrivateKeyA) + kR_V1 := Abs_c7a67a88_F((ShStructget1of5(args_V1): Ref).val$_Slice_Ref) + + // init pkI_V1 + inhale pkI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // pkI_V1 = Abs_c7a67a88_F(*args_V1.RemoteStaticA) + pkI_V1 := Abs_c7a67a88_F((ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // init psk_V1 + inhale psk_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // psk_V1 = Abs_c7a67a88_F(*args_V1.PresharedKeyA) + psk_V1 := Abs_c7a67a88_F((ShStructget0of5(args_V1): Ref).val$_Slice_Ref) + + // init epkI_V1 + inhale epkI_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // epkI_V1 = Abs_c7a67a88_F(*hs_V0_CN1.RemoteEphemeralA) + epkI_V1 := Abs_c7a67a88_F((ShStructget4of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init c3_V1 + inhale c3_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // c3_V1 = Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) + c3_V1 := Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init h4_V1 + inhale h4_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // h4_V1 = Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) + h4_V1 := Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init ekR_V1 + inhale ekR_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // ekR_V1 = Abs_c7a67a88_F(newPk_V0_CN2) + ekR_V1 := Abs_c7a67a88_F(newPk_V0_CN2) + + // *hs_V0_CN1.LocalEphemeralA = newPk_V0_CN2 + (ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref := newPk_V0_CN2 + + // N36 = PublicKey_c7a67a88_F(*hs_V0_CN1.LocalEphemeralA) + N36 := PublicKey_c7a67a88_F((ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init ephemeral_V1 + inhale ephemeral_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // ephemeral_V1 = N36 + ephemeral_V1 := N36 + + // ComputeHashInplace_c7a67a88_F(*hs_V0_CN1.ChainHashA, ephemeral_V1) + ComputeHashInplace_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, ephemeral_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) == Bytes_h5_68d987ee_F(h4_V1, ekR_V1) + assert Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_h5_68d987ee_F(h4_V1, ekR_V1) + + // ComputeKDF1Inplace_c7a67a88_F(*hs_V0_CN1.ChainKeyA, ephemeral_V1) + ComputeKDF1Inplace_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, ephemeral_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) == Bytes_c4_68d987ee_F(c3_V1, ekR_V1) + assert Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_c4_68d987ee_F(c3_V1, ekR_V1) + + // decl N41: ByteString_c7a67a88_T°, ss_V2: ByteString_c7a67a88_T°, N42: ByteString_c7a67a88_T° + var N42: Slice[Ref] + var ss_V2: Slice[Ref] + var N41: Slice[Ref] + + // N41 = ComputeSharedSecret_c7a67a88_F(*hs_V0_CN1.LocalEphemeralA, *hs_V0_CN1.RemoteEphemeralA) + N41 := ComputeSharedSecret_c7a67a88_F((ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget4of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init ss_V2 + inhale ss_V2 == sliceDefault_Intbyte$$$_S_$$$() + + // ss_V2 = N41 + ss_V2 := N41 + + // ComputeKDF1Inplace_c7a67a88_F(*hs_V0_CN1.ChainKeyA, ss_V2) + ComputeKDF1Inplace_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, ss_V2) + + // N42 = ComputeSharedSecret_c7a67a88_F(*hs_V0_CN1.LocalEphemeralA, *args_V1.RemoteStaticA) + N42 := ComputeSharedSecret_c7a67a88_F((ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget4of5(args_V1): Ref).val$_Slice_Ref) + + // ss_V2 = N42 + ss_V2 := N42 + + // ComputeKDF1Inplace_c7a67a88_F(*hs_V0_CN1.ChainKeyA, ss_V2) + ComputeKDF1Inplace_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, ss_V2) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) == Bytes_c6_68d987ee_F(pkI_V1, epkI_V1, c3_V1, ekR_V1) + assert Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_c6_68d987ee_F(pkI_V1, epkI_V1, c3_V1, ekR_V1) + + // N45 = NewByteString_c7a67a88_F(32) + N45 := NewByteString_c7a67a88_F(32) + + // init tau_V1 + inhale tau_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // tau_V1 = N45 + tau_V1 := N45 + + // N46 = NewByteString_c7a67a88_F(32) + N46 := NewByteString_c7a67a88_F(32) + + // init key_V1 + inhale key_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // key_V1 = N46 + key_V1 := N46 + + // ComputeKDF3Inplace_c7a67a88_F(tau_V1, key_V1, *hs_V0_CN1.ChainKeyA, *args_V1.PresharedKeyA) + ComputeKDF3Inplace_c7a67a88_F(tau_V1, key_V1, (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, (ShStructget0of5(args_V1): Ref).val$_Slice_Ref) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainKeyA) == Bytes_c7_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + assert Abs_c7a67a88_F((ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_c7_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + + // assert Abs_c7a67a88_F(tau_V1) == Bytes_pi_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + assert Abs_c7a67a88_F(tau_V1) == Bytes_pi_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + + // assert Abs_c7a67a88_F(key_V1) == Bytes_k3_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + assert Abs_c7a67a88_F(key_V1) == Bytes_k3_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, ekR_V1) + + // ComputeHashInplace_c7a67a88_F(*hs_V0_CN1.ChainHashA, tau_V1) + ComputeHashInplace_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, tau_V1) + + // assert Abs_c7a67a88_F(*hs_V0_CN1.ChainHashA) == Bytes_h6_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1) + assert Abs_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) == Bytes_h6_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1) + + // N55 = ZeroNonce_c7a67a88_F() + N55 := ZeroNonce_c7a67a88_F() + + // N56, N57 = AeadEnc_c7a67a88_F(key_V1, N55, (nil:ByteString_c7a67a88_T), *hs_V0_CN1.ChainHashA) + N56, N57 := AeadEnc_c7a67a88_F(key_V1, N55, sliceDefault_Intbyte$$$_S_$$$(), (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref) + + // init empty_V1 + inhale empty_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // empty_V1 = N56 + empty_V1 := N56 + + // ok_V0_CN4 = N57 + ok_V0_CN4 := N57 + + // if(!ok_V0_CN4) {...} else {...} + if (!ok_V0_CN4) { + + // decl + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // return + goto returnLabel + } + + // assert Abs_c7a67a88_F(empty_V1) == Bytes_c_empty_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1) + assert Abs_c7a67a88_F(empty_V1) == Bytes_c_empty_68d987ee_F(pkI_V1, psk_V1, epkI_V1, c3_V1, h4_V1, ekR_V1) + + // ComputeHashInplace_c7a67a88_F(*hs_V0_CN1.ChainHashA, empty_V1) + ComputeHashInplace_c7a67a88_F((ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref, empty_V1) + + // N60 = new(Response_c7a67a88_T{2, *args_V1.LocalIndexA, *hs_V0_CN1.RemoteIndexA, ephemeral_V1, empty_V1, dflt[ByteString_c7a67a88_T], dflt[ByteString_c7a67a88_T]}) + var fn$$0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of7(fn$$0): Ref).val$_Int, write) && acc((ShStructget1of7(fn$$0): Ref).val$_Int, write) && acc((ShStructget2of7(fn$$0): Ref).val$_Int, write) && acc((ShStructget3of7(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget4of7(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget5of7(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget6of7(fn$$0): Ref).val$_Slice_Ref, write) && (true && (ShStructget0of7(fn$$0): Ref).val$_Int == (get0of7((tuple7(2, (ShStructget2of5(args_V1): Ref).val$_Int, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int, ephemeral_V1, empty_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Int) && (ShStructget1of7(fn$$0): Ref).val$_Int == (get1of7((tuple7(2, (ShStructget2of5(args_V1): Ref).val$_Int, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int, ephemeral_V1, empty_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Int) && (ShStructget2of7(fn$$0): Ref).val$_Int == (get2of7((tuple7(2, (ShStructget2of5(args_V1): Ref).val$_Int, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int, ephemeral_V1, empty_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Int) && (ShStructget3of7(fn$$0): Ref).val$_Slice_Ref == (get3of7((tuple7(2, (ShStructget2of5(args_V1): Ref).val$_Int, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int, ephemeral_V1, empty_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref]) && (ShStructget4of7(fn$$0): Ref).val$_Slice_Ref == (get4of7((tuple7(2, (ShStructget2of5(args_V1): Ref).val$_Int, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int, ephemeral_V1, empty_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref]) && (ShStructget5of7(fn$$0): Ref).val$_Slice_Ref == (get5of7((tuple7(2, (ShStructget2of5(args_V1): Ref).val$_Int, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int, ephemeral_V1, empty_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref]) && (ShStructget6of7(fn$$0): Ref).val$_Slice_Ref == (get6of7((tuple7(2, (ShStructget2of5(args_V1): Ref).val$_Int, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int, ephemeral_V1, empty_V1, sliceDefault_Intbyte$$$_S_$$$(), sliceDefault_Intbyte$$$_S_$$$()): Tuple7[Int, Int, Int, Slice[Ref], Slice[Ref], Slice[Ref], Slice[Ref]])): Slice[Ref])) + N60 := fn$$0 + + // response_V0_CN3 = N60 + response_V0_CN3 := N60 + + // fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F(args_V1), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // fold acc(ResponseMem_c7a67a88_F(response_V0_CN3)) + fold acc(ResponseMem_c7a67a88_F(response_V0_CN3), write) + + // fold acc(HandshakeMem2_22e24f7d_F(hs_V0_CN1)) + fold acc(HandshakeMem2_22e24f7d_F(hs_V0_CN1), write) + + // return + goto returnLabel + label returnLabel + + // response_V0 = response_V0_CN3 + response_V0 := response_V0_CN3 + + // ok_V0 = ok_V0_CN4 + ok_V0 := ok_V0_CN4 +} + +method beginSymmetricSession_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], hs_V0: ShStruct5[Ref, Ref, Ref, Ref, Ref]) returns (conn_V0: ShStruct4[Ref, Ref, Ref, Ref]) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 4) && acc(HandshakeMem2_22e24f7d_F(hs_V0), write) + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 4) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) + ensures ConnectionKRI_c7a67a88_F(conn_V0) == kdf1B__b3aa12e7_F(old(getNKey2_22e24f7d_F(hs_V0))) + ensures ConnectionKIR_c7a67a88_F(conn_V0) == kdf2B__b3aa12e7_F(old(getNKey2_22e24f7d_F(hs_V0))) + ensures ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 + ensures ConnectionSidI_c7a67a88_F(conn_V0) == old(getSidI2_22e24f7d_F(hs_V0)) +{ + inhale conn_V0 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, hs_V0_CN1: *Handshake_c7a67a88_T°, conn_V0_CN2: *Connection_c7a67a88_T° + var conn_V0_CN2: ShStruct4[Ref, Ref, Ref, Ref] + var hs_V0_CN1: ShStruct5[Ref, Ref, Ref, Ref, Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init hs_V0_CN1 + inhale hs_V0_CN1 == shStructDefault_$ChainHashA_DefinedByteString_c7a67a88_T$$$_S_$$$_ChainKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_LocalEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$_RemoteEphemeralA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // init conn_V0_CN2 + inhale conn_V0_CN2 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // hs_V0_CN1 = hs_V0 + hs_V0_CN1 := hs_V0 + + // decl N12: ByteString_c7a67a88_T°, sendKey_V1: ByteString_c7a67a88_T°, N13: ByteString_c7a67a88_T°, recvKey_V1: ByteString_c7a67a88_T°, N14: *Connection_c7a67a88_T° + var N14: ShStruct4[Ref, Ref, Ref, Ref] + var recvKey_V1: Slice[Ref] + var N13: Slice[Ref] + var sendKey_V1: Slice[Ref] + var N12: Slice[Ref] + + // N12 = NewByteString_c7a67a88_F(32) + N12 := NewByteString_c7a67a88_F(32) + + // init sendKey_V1 + inhale sendKey_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // sendKey_V1 = N12 + sendKey_V1 := N12 + + // N13 = NewByteString_c7a67a88_F(32) + N13 := NewByteString_c7a67a88_F(32) + + // init recvKey_V1 + inhale recvKey_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // recvKey_V1 = N13 + recvKey_V1 := N13 + + // unfold acc(HandshakeMem2_22e24f7d_F(hs_V0_CN1)) + unfold acc(HandshakeMem2_22e24f7d_F(hs_V0_CN1), write) + + // ComputeKDF2_c7a67a88_F(recvKey_V1, sendKey_V1, *hs_V0_CN1.ChainKeyA, (nil:ByteString_c7a67a88_T)) + ComputeKDF2_c7a67a88_F(recvKey_V1, sendKey_V1, (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref, sliceDefault_Intbyte$$$_S_$$$()) + + // *hs_V0_CN1.ChainKeyA = (nil:ByteString_c7a67a88_T) + (ShStructget1of5(hs_V0_CN1): Ref).val$_Slice_Ref := sliceDefault_Intbyte$$$_S_$$$() + + // *hs_V0_CN1.ChainHashA = (nil:ByteString_c7a67a88_T) + (ShStructget0of5(hs_V0_CN1): Ref).val$_Slice_Ref := sliceDefault_Intbyte$$$_S_$$$() + + // *hs_V0_CN1.LocalEphemeralA = (nil:ByteString_c7a67a88_T) + (ShStructget2of5(hs_V0_CN1): Ref).val$_Slice_Ref := sliceDefault_Intbyte$$$_S_$$$() + + // N14 = new(Connection_c7a67a88_T{0, sendKey_V1, recvKey_V1, *hs_V0_CN1.RemoteIndexA}) + var fn$$0: ShStruct4[Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget1of4(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget2of4(fn$$0): Ref).val$_Slice_Ref, write) && acc((ShStructget3of4(fn$$0): Ref).val$_Int, write) && (true && (ShStructget0of4(fn$$0): Ref).val$_Int == (get0of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Int) && (ShStructget1of4(fn$$0): Ref).val$_Slice_Ref == (get1of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Slice[Ref]) && (ShStructget2of4(fn$$0): Ref).val$_Slice_Ref == (get2of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Slice[Ref]) && (ShStructget3of4(fn$$0): Ref).val$_Int == (get3of4((tuple4(0, sendKey_V1, recvKey_V1, (ShStructget3of5(hs_V0_CN1): Ref).val$_Int): Tuple4[Int, Slice[Ref], Slice[Ref], Int])): Int)) + N14 := fn$$0 + + // conn_V0_CN2 = N14 + conn_V0_CN2 := N14 + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // return + goto returnLabel + label returnLabel + + // conn_V0 = conn_V0_CN2 + conn_V0 := conn_V0_CN2 +} + +method forwardPackets_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], conn_V0: ShStruct4[Ref, Ref, Ref, Ref], v_V0: Seq[D$9084e2f5_1186dc0d_], t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(ResponderMem_22e24f7d_F(responder_V0), write) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, getRid_22e24f7d_PMResponder(responder_V0), s_V0), write) + requires |v_V0| == 6 + requires 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s_V0)) + requires gamma_b3aa12e7_F(v_V0[0]) == ConnectionSidI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v_V0[1]) == getKR_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[2]) == getPkI_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[3]) == getPsk_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[4]) == ConnectionKRI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v_V0[5]) == ConnectionKIR_c7a67a88_F(conn_V0) + requires ConnectionNonceVal_c7a67a88_F(conn_V0) == 0 +{ + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, conn_V0_CN1: *Connection_c7a67a88_T°, v_V0_CN2: seq[Term_1186dc0d_T]°, t_V0_CN3: Place_c3672ae3_T°, s_V0_CN4: mset[Fact_3e61b158_T]° + var s_V0_CN4: Multiset[D$226445f2_3e61b158_] + var t_V0_CN3: D$fe170ee1_c3672ae3_ + var v_V0_CN2: Seq[D$9084e2f5_1186dc0d_] + var conn_V0_CN1: ShStruct4[Ref, Ref, Ref, Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init conn_V0_CN1 + inhale conn_V0_CN1 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init v_V0_CN2 + inhale v_V0_CN2 == Seq[D$9084e2f5_1186dc0d_]() + + // init t_V0_CN3 + inhale t_V0_CN3 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN4 + inhale s_V0_CN4 == Multiset[D$226445f2_3e61b158_]() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // conn_V0_CN1 = conn_V0 + conn_V0_CN1 := conn_V0 + + // v_V0_CN2 = v_V0 + v_V0_CN2 := v_V0 + + // t_V0_CN3 = t_V0 + t_V0_CN3 := t_V0 + + // s_V0_CN4 = s_V0 + s_V0_CN4 := s_V0 + + // decl t1_V1: Place_c3672ae3_T°, s1_V1: mset[Fact_3e61b158_T]°, firstReceive_V1: bool° + var firstReceive_V1: Bool + var s1_V1: Multiset[D$226445f2_3e61b158_] + var t1_V1: D$fe170ee1_c3672ae3_ + + // init t1_V1 + inhale t1_V1 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V1 + inhale s1_V1 == Multiset[D$226445f2_3e61b158_]() + + // t1_V1 = t_V0_CN3 + t1_V1 := t_V0_CN3 + + // s1_V1 = s_V0_CN4 + s1_V1 := s_V0_CN4 + + // init firstReceive_V1 + inhale firstReceive_V1 == false + + // firstReceive_V1 = true + firstReceive_V1 := true + + // decl L$11$1$Break + + // while(true) +// invariant acc(ResponderMem_22e24f7d_F(responder_V0_CN0)) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1)) +// invariant len(v_V0_CN2) == 6 && gamma_b3aa12e7_F(v_V0_CN2[0]) == ConnectionSidI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[1]) == getKR_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[2]) == getPkI_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[3]) == getPsk_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[4]) == ConnectionKRI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[5]) == ConnectionKIR_c7a67a88_F(conn_V0_CN1) +// invariant acc(token_c3672ae3_F(t1_V1)) && acc(P_Resp_c0f0ff6b_F(t1_V1, responder_V0_CN0.getRid(), s1_V1)) +// invariant ConnectionNonceVal_c7a67a88_F(conn_V0_CN1) >= 0 +// invariant firstReceive_V1 ==> 0 < St_Resp_2_3e61b158_F(responder_V0_CN0.getRid(), getFirst_d2674021_F(responder_V0_CN0.getPP()), getSecond_d2674021_F(responder_V0_CN0.getPP()), getThird_d2674021_F(responder_V0_CN0.getPP()), getForth_d2674021_F(responder_V0_CN0.getPP()), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1 +// invariant !firstReceive_V1 ==> 0 < St_Resp_3_3e61b158_F(responder_V0_CN0.getRid(), getFirst_d2674021_F(responder_V0_CN0.getPP()), getSecond_d2674021_F(responder_V0_CN0.getPP()), getThird_d2674021_F(responder_V0_CN0.getPP()), getForth_d2674021_F(responder_V0_CN0.getPP()), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1 + + + while (true) + invariant acc(ResponderMem_22e24f7d_F(responder_V0_CN0), write) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), write) + invariant |v_V0_CN2| == 6 && gamma_b3aa12e7_F(v_V0_CN2[0]) == ConnectionSidI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[1]) == getKR_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[2]) == getPkI_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[3]) == getPsk_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[4]) == ConnectionKRI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[5]) == ConnectionKIR_c7a67a88_F(conn_V0_CN1) + invariant acc(token_c3672ae3_F(t1_V1), write) && acc(P_Resp_c0f0ff6b_F(t1_V1, getRid_22e24f7d_PMResponder(responder_V0_CN0), s1_V1), write) + invariant ConnectionNonceVal_c7a67a88_F(conn_V0_CN1) >= 0 + invariant firstReceive_V1 ==> 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0_CN0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1)) + invariant !firstReceive_V1 ==> 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0_CN0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1)) + { + + // decl L$11$1$Continue + + // decl response_V2: ByteString_c7a67a88_T°, done_V2: bool°, rid_V2: Term_1186dc0d_T°, N111: ByteString_c7a67a88_T°, N112: bool°, N113: Term_1186dc0d_T°, N114: Place_c3672ae3_T°, request_V2: ByteString_c7a67a88_T°, ok_V2: bool°, msgT_V2: Term_1186dc0d_T°, t2_V2: Place_c3672ae3_T° + var t2_V2: D$fe170ee1_c3672ae3_ + var msgT_V2: D$9084e2f5_1186dc0d_ + var ok_V2: Bool + var request_V2: Slice[Ref] + var N114: D$fe170ee1_c3672ae3_ + var N113: D$9084e2f5_1186dc0d_ + var N112: Bool + var N111: Slice[Ref] + var rid_V2: D$9084e2f5_1186dc0d_ + var done_V2: Bool + var response_V2: Slice[Ref] + + // init response_V2 + inhale response_V2 == sliceDefault_Intbyte$$$_S_$$$() + + // response_V2 = dflt[ByteString_c7a67a88_T] + response_V2 := sliceDefault_Intbyte$$$_S_$$$() + + // init done_V2 + inhale done_V2 == false + + // done_V2 = false + done_V2 := false + + // decl L$22$2$Break + + // while(!done_V2) +// invariant acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/4) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1/2) +// invariant len(v_V0_CN2) == 6 && gamma_b3aa12e7_F(v_V0_CN2[0]) == ConnectionSidI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[1]) == getKR_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[2]) == getPkI_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[3]) == getPsk_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[4]) == ConnectionKRI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[5]) == ConnectionKIR_c7a67a88_F(conn_V0_CN1) +// invariant acc(token_c3672ae3_F(t1_V1)) && acc(P_Resp_c0f0ff6b_F(t1_V1, responder_V0_CN0.getRid(), s1_V1)) +// invariant !done_V2 && firstReceive_V1 ==> 0 < St_Resp_2_3e61b158_F(responder_V0_CN0.getRid(), getFirst_d2674021_F(responder_V0_CN0.getPP()), getSecond_d2674021_F(responder_V0_CN0.getPP()), getThird_d2674021_F(responder_V0_CN0.getPP()), getForth_d2674021_F(responder_V0_CN0.getPP()), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1 +// invariant !done_V2 && !firstReceive_V1 ==> 0 < St_Resp_3_3e61b158_F(responder_V0_CN0.getRid(), getFirst_d2674021_F(responder_V0_CN0.getPP()), getSecond_d2674021_F(responder_V0_CN0.getPP()), getThird_d2674021_F(responder_V0_CN0.getPP()), getForth_d2674021_F(responder_V0_CN0.getPP()), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1 +// invariant done_V2 ==> acc(Mem_c7a67a88_F(response_V2)) +// invariant done_V2 ==> 0 < St_Resp_3_3e61b158_F(responder_V0_CN0.getRid(), getFirst_d2674021_F(responder_V0_CN0.getPP()), getSecond_d2674021_F(responder_V0_CN0.getPP()), getThird_d2674021_F(responder_V0_CN0.getPP()), getForth_d2674021_F(responder_V0_CN0.getPP()), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1 + + + while (!done_V2) + invariant acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 4) && acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1 / 2) + invariant |v_V0_CN2| == 6 && gamma_b3aa12e7_F(v_V0_CN2[0]) == ConnectionSidI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[1]) == getKR_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[2]) == getPkI_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[3]) == getPsk_22e24f7d_F(responder_V0_CN0) && gamma_b3aa12e7_F(v_V0_CN2[4]) == ConnectionKRI_c7a67a88_F(conn_V0_CN1) && gamma_b3aa12e7_F(v_V0_CN2[5]) == ConnectionKIR_c7a67a88_F(conn_V0_CN1) + invariant acc(token_c3672ae3_F(t1_V1), write) && acc(P_Resp_c0f0ff6b_F(t1_V1, getRid_22e24f7d_PMResponder(responder_V0_CN0), s1_V1), write) + invariant !done_V2 && firstReceive_V1 ==> 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0_CN0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1)) + invariant !done_V2 && !firstReceive_V1 ==> 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0_CN0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1)) + invariant done_V2 ==> acc(Mem_c7a67a88_F(response_V2), write) + invariant done_V2 ==> 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0_CN0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0_CN0)), v_V0_CN2[0], v_V0_CN2[4], v_V0_CN2[5]) in s1_V1)) + { + + // decl L$22$2$Continue + + // decl N106: ByteString_c7a67a88_T°, N107: bool°, N108: Place_c3672ae3_T°, N109: mset[Fact_3e61b158_T]° + var N109: Multiset[D$226445f2_3e61b158_] + var N108: D$fe170ee1_c3672ae3_ + var N107: Bool + var N106: Slice[Ref] + + // N106, N107, N108, N109 = responder_V0_CN0receiveMessage(conn_V0_CN1, firstReceive_V1, v_V0_CN2, t1_V1, s1_V1) + N106, N107, N108, N109 := receiveMessage_22e24f7d_PMResponder(responder_V0_CN0, conn_V0_CN1, firstReceive_V1, v_V0_CN2, t1_V1, s1_V1) + + // response_V2 = N106 + response_V2 := N106 + + // done_V2 = N107 + done_V2 := N107 + + // t1_V1 = N108 + t1_V1 := N108 + + // s1_V1 = N109 + s1_V1 := N109 + + // L$22$2$Continue + label L$22$2$Continue + if (!done_V2) { + + } + + } + + // L$22$2$Break + label L$22$2$Break + + // firstReceive_V1 = false + firstReceive_V1 := false + + // init rid_V2 + inhale rid_V2 == dfltD$9084e2f5_1186dc0d_() + + // rid_V2 = responder_V0_CN0.getRid() + rid_V2 := getRid_22e24f7d_PMResponder(responder_V0_CN0) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // unfold acc(phiRF_Resp_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + unfold acc(phiRF_Resp_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0)) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), write) + + // &*responder_V0_CN0.LibStateAConsumePacket(response_V2) + ConsumePacket_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), response_V2) + + // N111, N112, N113, N114 = &*responder_V0_CN0.LibStateAGetPacket(t1_V1, rid_V2) + N111, N112, N113, N114 := GetPacket_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), t1_V1, rid_V2) + + // init request_V2 + inhale request_V2 == sliceDefault_Intbyte$$$_S_$$$() + + // init ok_V2 + inhale ok_V2 == false + + // init msgT_V2 + inhale msgT_V2 == dfltD$9084e2f5_1186dc0d_() + + // init t2_V2 + inhale t2_V2 == dfltD$fe170ee1_c3672ae3_() + + // request_V2 = N111 + request_V2 := N111 + + // ok_V2 = N112 + ok_V2 := N112 + + // msgT_V2 = N113 + msgT_V2 := N113 + + // t2_V2 = N114 + t2_V2 := N114 + + // t1_V1 = t2_V2 + t1_V1 := t2_V2 + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0)) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), write) + + // if(!ok_V2) {...} else {...} + if (!ok_V2) { + + // decl + + // fold acc(phiRF_Resp_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + fold acc(phiRF_Resp_13_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + + // fold acc(P_Resp_c0f0ff6b_F(t1_V1, rid_V2, s1_V1)) + fold acc(P_Resp_c0f0ff6b_F(t1_V1, rid_V2, s1_V1), write) + } + + // if(ok_V2) {...} else {...} + if (ok_V2) { + + // decl N116: bool°, N117: bool°, N118: bool°, N119: Place_c3672ae3_T°, N120: mset[Fact_3e61b158_T]° + var N120: Multiset[D$226445f2_3e61b158_] + var N119: D$fe170ee1_c3672ae3_ + var N118: Bool + var N117: Bool + var N116: Bool + + // s1_V1 = s1_V1 union mset[Fact_3e61b158_T] { Message_Resp_3e61b158_F(rid_V2, msgT_V2) } + s1_V1 := (s1_V1 union Multiset(Message_Resp_3e61b158_F(rid_V2, msgT_V2))) + + // N118, N119, N120 = responder_V0_CN0sendMessage(request_V2, conn_V0_CN1, msgT_V2, v_V0_CN2, t1_V1, s1_V1) + N118, N119, N120 := sendMessage_22e24f7d_PMResponder(responder_V0_CN0, request_V2, conn_V0_CN1, msgT_V2, v_V0_CN2, t1_V1, s1_V1) + + // N117 = N118 + N117 := N118 + + // t1_V1 = N119 + t1_V1 := N119 + + // s1_V1 = N120 + s1_V1 := N120 + } + + // L$11$1$Continue + label L$11$1$Continue + if (true) { + + } + + } + + // L$11$1$Break + label L$11$1$Break + label returnLabel +} + +method sendMessage_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], msg_V0: Slice[Ref], conn_V0: ShStruct4[Ref, Ref, Ref, Ref], msgT_V0: D$9084e2f5_1186dc0d_, v_V0: Seq[D$9084e2f5_1186dc0d_], t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) && acc(Mem_c7a67a88_F(msg_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, getRid_22e24f7d_PMResponder(responder_V0), s_V0), write) + requires |v_V0| == 6 && gamma_b3aa12e7_F(v_V0[0]) == ConnectionSidI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v_V0[1]) == getKR_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[2]) == getPkI_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[3]) == getPsk_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[4]) == ConnectionKRI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v_V0[5]) == ConnectionKIR_c7a67a88_F(conn_V0) + requires ConnectionNonceVal_c7a67a88_F(conn_V0) >= 0 + requires 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s_V0)) + requires gamma_b3aa12e7_F(msgT_V0) == Abs_c7a67a88_F(msg_V0) && 0 < ((Message_Resp_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), msgT_V0) in s_V0)) + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), write) + ensures acc(token_c3672ae3_F(t1_V0), write) && acc(P_Resp_c0f0ff6b_F(t1_V0, getRid_22e24f7d_PMResponder(responder_V0), s1_V0), write) + ensures 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s1_V0)) + ensures ConnectionSidI_c7a67a88_F(conn_V0) == old(ConnectionSidI_c7a67a88_F(conn_V0)) && ConnectionKIR_c7a67a88_F(conn_V0) == old(ConnectionKIR_c7a67a88_F(conn_V0)) && ConnectionKRI_c7a67a88_F(conn_V0) == old(ConnectionKRI_c7a67a88_F(conn_V0)) + ensures ConnectionNonceVal_c7a67a88_F(conn_V0) >= 0 +{ + inhale ok_V0 == false + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, msg_V0_CN1: ByteString_c7a67a88_T°, conn_V0_CN2: *Connection_c7a67a88_T°, msgT_V0_CN3: Term_1186dc0d_T°, v_V0_CN4: seq[Term_1186dc0d_T]°, t_V0_CN5: Place_c3672ae3_T°, s_V0_CN6: mset[Fact_3e61b158_T]°, ok_V0_CN7: bool°, t1_V0_CN8: Place_c3672ae3_T°, s1_V0_CN9: mset[Fact_3e61b158_T]° + var s1_V0_CN9: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN8: D$fe170ee1_c3672ae3_ + var ok_V0_CN7: Bool + var s_V0_CN6: Multiset[D$226445f2_3e61b158_] + var t_V0_CN5: D$fe170ee1_c3672ae3_ + var v_V0_CN4: Seq[D$9084e2f5_1186dc0d_] + var msgT_V0_CN3: D$9084e2f5_1186dc0d_ + var conn_V0_CN2: ShStruct4[Ref, Ref, Ref, Ref] + var msg_V0_CN1: Slice[Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init msg_V0_CN1 + inhale msg_V0_CN1 == sliceDefault_Intbyte$$$_S_$$$() + + // init conn_V0_CN2 + inhale conn_V0_CN2 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init msgT_V0_CN3 + inhale msgT_V0_CN3 == dfltD$9084e2f5_1186dc0d_() + + // init v_V0_CN4 + inhale v_V0_CN4 == Seq[D$9084e2f5_1186dc0d_]() + + // init t_V0_CN5 + inhale t_V0_CN5 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN6 + inhale s_V0_CN6 == Multiset[D$226445f2_3e61b158_]() + + // init ok_V0_CN7 + inhale ok_V0_CN7 == false + + // init t1_V0_CN8 + inhale t1_V0_CN8 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN9 + inhale s1_V0_CN9 == Multiset[D$226445f2_3e61b158_]() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // msg_V0_CN1 = msg_V0 + msg_V0_CN1 := msg_V0 + + // conn_V0_CN2 = conn_V0 + conn_V0_CN2 := conn_V0 + + // msgT_V0_CN3 = msgT_V0 + msgT_V0_CN3 := msgT_V0 + + // v_V0_CN4 = v_V0 + v_V0_CN4 := v_V0 + + // t_V0_CN5 = t_V0 + t_V0_CN5 := t_V0 + + // s_V0_CN6 = s_V0 + s_V0_CN6 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, pp_V1: Term_1186dc0d_T°, N58: uint64°, N59: Place_c3672ae3_T°, nonce_V1: uint64°, N62: ByteString_c7a67a88_T°, nonceBytes_V1: ByteString_c7a67a88_T°, N63: ByteString_c7a67a88_T°, plaintext_V1: ByteString_c7a67a88_T°, N64: ByteString_c7a67a88_T°, N65: bool°, encryptedMsg_V1: ByteString_c7a67a88_T°, N66: *Message_c7a67a88_T°, message_V1: *Message_c7a67a88_T°, N67: ByteString_c7a67a88_T°, packet_V1: ByteString_c7a67a88_T°, Q3sidR_V1: Term_1186dc0d_T°, Q3a_V1: Term_1186dc0d_T°, Q3b_V1: Term_1186dc0d_T°, Q3prologue_V1: Term_1186dc0d_T°, Q3info_V1: Term_1186dc0d_T°, Q3sidI_V1: Term_1186dc0d_T°, Q3kIR_V1: Term_1186dc0d_T°, Q3kRI_V1: Term_1186dc0d_T°, Q3nRI_V1: Term_1186dc0d_T°, Q3p_V1: Term_1186dc0d_T°, l_V1: mset[Fact_3e61b158_T]°, a_V1: mset[Claim_2716b91c_T]°, r_V1: mset[Fact_3e61b158_T]°, N76: Place_c3672ae3_T°, m_V1: Term_1186dc0d_T°, N85: bool°, N86: Place_c3672ae3_T° + var N86: D$fe170ee1_c3672ae3_ + var N85: Bool + var m_V1: D$9084e2f5_1186dc0d_ + var N76: D$fe170ee1_c3672ae3_ + var r_V1: Multiset[D$226445f2_3e61b158_] + var a_V1: Multiset[D$46be403b_2716b91c_] + var l_V1: Multiset[D$226445f2_3e61b158_] + var Q3p_V1: D$9084e2f5_1186dc0d_ + var Q3nRI_V1: D$9084e2f5_1186dc0d_ + var Q3kRI_V1: D$9084e2f5_1186dc0d_ + var Q3kIR_V1: D$9084e2f5_1186dc0d_ + var Q3sidI_V1: D$9084e2f5_1186dc0d_ + var Q3info_V1: D$9084e2f5_1186dc0d_ + var Q3prologue_V1: D$9084e2f5_1186dc0d_ + var Q3b_V1: D$9084e2f5_1186dc0d_ + var Q3a_V1: D$9084e2f5_1186dc0d_ + var Q3sidR_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N67: Slice[Ref] + var message_V1: ShStruct4[Ref, Ref, Ref, Ref] + var N66: ShStruct4[Ref, Ref, Ref, Ref] + var encryptedMsg_V1: Slice[Ref] + var N65: Bool + var N64: Slice[Ref] + var plaintext_V1: Slice[Ref] + var N63: Slice[Ref] + var nonceBytes_V1: Slice[Ref] + var N62: Slice[Ref] + var nonce_V1: Int + var N59: D$fe170ee1_c3672ae3_ + var N58: Int + var pp_V1: D$9084e2f5_1186dc0d_ + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = responder_V0_CN0.getRid() + rid_V1 := getRid_22e24f7d_PMResponder(responder_V0_CN0) + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = responder_V0_CN0.getPP() + pp_V1 := getPP_22e24f7d_PMResponder(responder_V0_CN0) + + // unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // unfold acc(phiRF_Resp_12_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6)) + unfold acc(phiRF_Resp_12_c0f0ff6b_F(t_V0_CN5, rid_V1, s_V0_CN6), write) + + // N58, N59 = GetCounter_c7a67a88_F(*conn_V0_CN2.NonceA, t_V0_CN5, rid_V1) + N58, N59 := GetCounter_c7a67a88_F((ShStructget0of4(conn_V0_CN2): Ref).val$_Int, t_V0_CN5, rid_V1) + + // init nonce_V1 + inhale nonce_V1 == 0 + + // nonce_V1 = N58 + nonce_V1 := N58 + + // t1_V0_CN8 = N59 + t1_V0_CN8 := N59 + + // s1_V0_CN9 = s_V0_CN6 union mset[Fact_3e61b158_T] { Counter_Resp_3e61b158_F(rid_V1, integer64_d2674021_F(nonce_V1)) } + s1_V0_CN9 := (s_V0_CN6 union Multiset(Counter_Resp_3e61b158_F(rid_V1, integer64_d2674021_F(nonce_V1)))) + + // assert acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + assert acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // if(*conn_V0_CN2.NonceA >= 18446744073709543423) {...} else {...} + if ((ShStructget0of4(conn_V0_CN2): Ref).val$_Int >= 18446744073709543423) { + + // decl + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // ok_V0_CN7 = false + ok_V0_CN7 := false + + // return + goto returnLabel + } + + // N62 = NonceToBytes_c7a67a88_F(nonce_V1) + N62 := NonceToBytes_c7a67a88_F(nonce_V1) + + // init nonceBytes_V1 + inhale nonceBytes_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // nonceBytes_V1 = N62 + nonceBytes_V1 := N62 + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // N63 = &*responder_V0_CN0.LibStateAPadMsg(msg_V0_CN1) + N63 := PadMsg_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), msg_V0_CN1) + + // init plaintext_V1 + inhale plaintext_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // plaintext_V1 = N63 + plaintext_V1 := N63 + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // N64, N65 = AeadEnc_c7a67a88_F(*conn_V0_CN2.SendKeyA, nonceBytes_V1, plaintext_V1, (nil:ByteString_c7a67a88_T)) + N64, N65 := AeadEnc_c7a67a88_F((ShStructget1of4(conn_V0_CN2): Ref).val$_Slice_Ref, nonceBytes_V1, plaintext_V1, sliceDefault_Intbyte$$$_S_$$$()) + + // init encryptedMsg_V1 + inhale encryptedMsg_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // encryptedMsg_V1 = N64 + encryptedMsg_V1 := N64 + + // ok_V0_CN7 = N65 + ok_V0_CN7 := N65 + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // return + goto returnLabel + } + + // N66 = new(Message_c7a67a88_T{4, *conn_V0_CN2.RemoteIndexA, nonce_V1, encryptedMsg_V1}) + var fn$$0: ShStruct4[Ref, Ref, Ref, Ref] + inhale true && acc((ShStructget0of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget1of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget2of4(fn$$0): Ref).val$_Int, write) && acc((ShStructget3of4(fn$$0): Ref).val$_Slice_Ref, write) && (true && (ShStructget0of4(fn$$0): Ref).val$_Int == (get0of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Int) && (ShStructget1of4(fn$$0): Ref).val$_Int == (get1of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Int) && (ShStructget2of4(fn$$0): Ref).val$_Int == (get2of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Int) && (ShStructget3of4(fn$$0): Ref).val$_Slice_Ref == (get3of4((tuple4(4, (ShStructget3of4(conn_V0_CN2): Ref).val$_Int, nonce_V1, encryptedMsg_V1): Tuple4[Int, Int, Int, Slice[Ref]])): Slice[Ref])) + N66 := fn$$0 + + // init message_V1 + inhale message_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_NonceA_Intuint64$$$_S_$$$_PayloadA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // message_V1 = N66 + message_V1 := N66 + + // N67 = MarshalMessage_c7a67a88_F(message_V1) + N67 := MarshalMessage_c7a67a88_F(message_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // packet_V1 = N67 + packet_V1 := N67 + + // init Q3sidR_V1 + inhale Q3sidR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3sidR_V1 = rid_V1 + Q3sidR_V1 := rid_V1 + + // init Q3a_V1 + inhale Q3a_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3a_V1 = getFirst_d2674021_F(pp_V1) + Q3a_V1 := getFirst_d2674021_F(pp_V1) + + // init Q3b_V1 + inhale Q3b_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3b_V1 = getSecond_d2674021_F(pp_V1) + Q3b_V1 := getSecond_d2674021_F(pp_V1) + + // init Q3prologue_V1 + inhale Q3prologue_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3prologue_V1 = getThird_d2674021_F(pp_V1) + Q3prologue_V1 := getThird_d2674021_F(pp_V1) + + // init Q3info_V1 + inhale Q3info_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3info_V1 = getForth_d2674021_F(pp_V1) + Q3info_V1 := getForth_d2674021_F(pp_V1) + + // init Q3sidI_V1 + inhale Q3sidI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3sidI_V1 = v_V0_CN4[0] + Q3sidI_V1 := v_V0_CN4[0] + + // init Q3kIR_V1 + inhale Q3kIR_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3kIR_V1 = v_V0_CN4[4] + Q3kIR_V1 := v_V0_CN4[4] + + // init Q3kRI_V1 + inhale Q3kRI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3kRI_V1 = v_V0_CN4[5] + Q3kRI_V1 := v_V0_CN4[5] + + // init Q3nRI_V1 + inhale Q3nRI_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3nRI_V1 = integer64_d2674021_F(nonce_V1) + Q3nRI_V1 := integer64_d2674021_F(nonce_V1) + + // init Q3p_V1 + inhale Q3p_V1 == dfltD$9084e2f5_1186dc0d_() + + // Q3p_V1 = msgT_V0_CN3 + Q3p_V1 := msgT_V0_CN3 + + // init l_V1 + inhale l_V1 == Multiset[D$226445f2_3e61b158_]() + + // l_V1 = InternalResp4L_d2674021_F(Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1) + l_V1 := InternalResp4L_d2674021_F(Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1) + + // init a_V1 + inhale a_V1 == Multiset[D$46be403b_2716b91c_]() + + // a_V1 = InternalResp4A_d2674021_F(Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1) + a_V1 := InternalResp4A_d2674021_F(Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1) + + // init r_V1 + inhale r_V1 == Multiset[D$226445f2_3e61b158_]() + + // r_V1 = InternalResp4R_d2674021_F(Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1) + r_V1 := InternalResp4R_d2674021_F(Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // unfold acc(phiR_Resp_3_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(phiR_Resp_3_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // N76 = internBIO_e_Send_Resp_Loop_c0f0ff6b_F(t1_V0_CN8, Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1, l_V1, a_V1, r_V1) + N76 := internBIO_e_Send_Resp_Loop_c0f0ff6b_F(t1_V0_CN8, Q3sidR_V1, Q3a_V1, Q3b_V1, Q3prologue_V1, Q3info_V1, Q3sidI_V1, Q3kIR_V1, Q3kRI_V1, Q3nRI_V1, Q3p_V1, l_V1, a_V1, r_V1) + + // t1_V0_CN8 = N76 + t1_V0_CN8 := N76 + + // s1_V0_CN9 = U_3e61b158_F(l_V1, r_V1, s1_V0_CN9) + s1_V0_CN9 := U_3e61b158_F(l_V1, r_V1, s1_V0_CN9) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // unfold acc(phiRG_Resp_5_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(phiRG_Resp_5_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // init m_V1 + inhale m_V1 == dfltD$9084e2f5_1186dc0d_() + + // m_V1 = tuple4_d2674021_F(integer32_d2674021_F(4), v_V0_CN4[0], integer64_d2674021_F(nonce_V1), aead_d2674021_F(v_V0_CN4[5], integer64_d2674021_F(nonce_V1), msgT_V0_CN3, zeroString_d2674021_F(0))) + m_V1 := tuple4_d2674021_F(integer32_d2674021_F(4), v_V0_CN4[0], integer64_d2674021_F(nonce_V1), aead_d2674021_F(v_V0_CN4[5], integer64_d2674021_F(nonce_V1), msgT_V0_CN3, zeroString_d2674021_F(0))) + + // assert 0 < OutFact_Resp_3e61b158_F(rid_V1, m_V1) in s1_V0_CN9 + assert 0 < ((OutFact_Resp_3e61b158_F(rid_V1, m_V1) in s1_V0_CN9)) + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // N85, N86 = &*responder_V0_CN0.LibStateASend(packet_V1, t1_V0_CN8, rid_V1, m_V1) + N85, N86 := Send_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), packet_V1, t1_V0_CN8, rid_V1, m_V1) + + // ok_V0_CN7 = N85 + ok_V0_CN7 := N85 + + // t1_V0_CN8 = N86 + t1_V0_CN8 := N86 + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // fold acc(phiRG_Resp_5_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + fold acc(phiRG_Resp_5_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // fold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + fold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + } + + // if(ok_V0_CN7) {...} else {...} + if (ok_V0_CN7) { + + // decl + + // s1_V0_CN9 = s1_V0_CN9 setminus mset[Fact_3e61b158_T] { OutFact_Resp_3e61b158_F(rid_V1, m_V1) } + s1_V0_CN9 := (s1_V0_CN9 setminus Multiset(OutFact_Resp_3e61b158_F(rid_V1, m_V1))) + + // *conn_V0_CN2.NonceA = *conn_V0_CN2.NonceA + 1 + (ShStructget0of4(conn_V0_CN2): Ref).val$_Int := (ShStructget0of4(conn_V0_CN2): Ref).val$_Int + 1 + } + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2)) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN2), write) + + // return + goto returnLabel + label returnLabel + + // ok_V0 = ok_V0_CN7 + ok_V0 := ok_V0_CN7 + + // t1_V0 = t1_V0_CN8 + t1_V0 := t1_V0_CN8 + + // s1_V0 = s1_V0_CN9 + s1_V0 := s1_V0_CN9 +} + +method receiveMessage_22e24f7d_PMResponder(responder_V0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref], conn_V0: ShStruct4[Ref, Ref, Ref, Ref], q_V0: Bool, v_V0: Seq[D$9084e2f5_1186dc0d_], t_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (msg_V0: Slice[Ref], ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_, s1_V0: Multiset[D$226445f2_3e61b158_]) + requires acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), 1 / 8) + requires acc(token_c3672ae3_F(t_V0), write) && acc(P_Resp_c0f0ff6b_F(t_V0, getRid_22e24f7d_PMResponder(responder_V0), s_V0), write) + requires |v_V0| == 6 && gamma_b3aa12e7_F(v_V0[0]) == ConnectionSidI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v_V0[1]) == getKR_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[2]) == getPkI_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[3]) == getPsk_22e24f7d_F(responder_V0) && gamma_b3aa12e7_F(v_V0[4]) == ConnectionKRI_c7a67a88_F(conn_V0) && gamma_b3aa12e7_F(v_V0[5]) == ConnectionKIR_c7a67a88_F(conn_V0) + requires (q_V0 ==> 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s_V0))) && (!q_V0 ==> 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s_V0))) + ensures acc(ResponderMem_22e24f7d_F(responder_V0), 1 / 8) && acc(ConnectionMem_c7a67a88_F(conn_V0), 1 / 8) + ensures acc(token_c3672ae3_F(t1_V0), write) && acc(P_Resp_c0f0ff6b_F(t1_V0, getRid_22e24f7d_PMResponder(responder_V0), s1_V0), write) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(msg_V0), write) + ensures ok_V0 ==> 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s1_V0)) + ensures !ok_V0 ==> (q_V0 ==> 0 < ((St_Resp_2_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s1_V0))) && (!q_V0 ==> 0 < ((St_Resp_3_3e61b158_F(getRid_22e24f7d_PMResponder(responder_V0), getFirst_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getSecond_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getThird_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), getForth_d2674021_F(getPP_22e24f7d_PMResponder(responder_V0)), v_V0[0], v_V0[4], v_V0[5]) in s1_V0))) +{ + inhale msg_V0 == sliceDefault_Intbyte$$$_S_$$$() + inhale ok_V0 == false + inhale t1_V0 == dfltD$fe170ee1_c3672ae3_() + inhale s1_V0 == Multiset[D$226445f2_3e61b158_]() + + // decl responder_V0_CN0: *Responder_22e24f7d_T°, conn_V0_CN1: *Connection_c7a67a88_T°, q_V0_CN2: bool°, v_V0_CN3: seq[Term_1186dc0d_T]°, t_V0_CN4: Place_c3672ae3_T°, s_V0_CN5: mset[Fact_3e61b158_T]°, msg_V0_CN6: ByteString_c7a67a88_T°, ok_V0_CN7: bool°, t1_V0_CN8: Place_c3672ae3_T°, s1_V0_CN9: mset[Fact_3e61b158_T]° + var s1_V0_CN9: Multiset[D$226445f2_3e61b158_] + var t1_V0_CN8: D$fe170ee1_c3672ae3_ + var ok_V0_CN7: Bool + var msg_V0_CN6: Slice[Ref] + var s_V0_CN5: Multiset[D$226445f2_3e61b158_] + var t_V0_CN4: D$fe170ee1_c3672ae3_ + var v_V0_CN3: Seq[D$9084e2f5_1186dc0d_] + var q_V0_CN2: Bool + var conn_V0_CN1: ShStruct4[Ref, Ref, Ref, Ref] + var responder_V0_CN0: ShStruct4[ShStruct4[Ref, Ref, Ref, Ref], ShStruct5[Ref, Ref, Ref, Ref, Ref], Ref, Ref] + + + + // init responder_V0_CN0 + inhale responder_V0_CN0 == shStructDefault_$LibStateA_DefinedLibraryState_c7a67a88_T$$$_S_$$$_HandshakeInfoA_DefinedHandshakeArguments_c7a67a88_T$$$_S_$$$_aA_Intuint32$$$_S_$$$_bA_Intuint32$$$_S_$$$$() + + // init conn_V0_CN1 + inhale conn_V0_CN1 == shStructDefault_$NonceA_Intuint64$$$_S_$$$_SendKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RecvKeyA_DefinedByteString_c7a67a88_T$$$_S_$$$_RemoteIndexA_Intuint32$$$_S_$$$$() + + // init q_V0_CN2 + inhale q_V0_CN2 == false + + // init v_V0_CN3 + inhale v_V0_CN3 == Seq[D$9084e2f5_1186dc0d_]() + + // init t_V0_CN4 + inhale t_V0_CN4 == dfltD$fe170ee1_c3672ae3_() + + // init s_V0_CN5 + inhale s_V0_CN5 == Multiset[D$226445f2_3e61b158_]() + + // init msg_V0_CN6 + inhale msg_V0_CN6 == sliceDefault_Intbyte$$$_S_$$$() + + // init ok_V0_CN7 + inhale ok_V0_CN7 == false + + // init t1_V0_CN8 + inhale t1_V0_CN8 == dfltD$fe170ee1_c3672ae3_() + + // init s1_V0_CN9 + inhale s1_V0_CN9 == Multiset[D$226445f2_3e61b158_]() + + // responder_V0_CN0 = responder_V0 + responder_V0_CN0 := responder_V0 + + // conn_V0_CN1 = conn_V0 + conn_V0_CN1 := conn_V0 + + // q_V0_CN2 = q_V0 + q_V0_CN2 := q_V0 + + // v_V0_CN3 = v_V0 + v_V0_CN3 := v_V0 + + // t_V0_CN4 = t_V0 + t_V0_CN4 := t_V0 + + // s_V0_CN5 = s_V0 + s_V0_CN5 := s_V0 + + // decl rid_V1: Term_1186dc0d_T°, pp_V1: Term_1186dc0d_T°, N78: ByteString_c7a67a88_T°, N79: bool°, N80: Term_1186dc0d_T°, N81: Place_c3672ae3_T°, packet_V1: ByteString_c7a67a88_T°, c_V1: Term_1186dc0d_T°, N82: *Message_c7a67a88_T°, N83: bool°, message_V1: *Message_c7a67a88_T°, N84: ByteString_c7a67a88_T°, nonceBytes_V1: ByteString_c7a67a88_T°, N85: ByteString_c7a67a88_T°, N86: bool°, plaintext_V1: ByteString_c7a67a88_T°, m_V1: Bytes_b3aa12e7_T°, n_V1: Bytes_b3aa12e7_T°, N91: Term_1186dc0d_T°, N92: Term_1186dc0d_T°, nX_V1: Term_1186dc0d_T°, mX_V1: Term_1186dc0d_T°, N111: ByteString_c7a67a88_T° + var N111: Slice[Ref] + var mX_V1: D$9084e2f5_1186dc0d_ + var nX_V1: D$9084e2f5_1186dc0d_ + var N92: D$9084e2f5_1186dc0d_ + var N91: D$9084e2f5_1186dc0d_ + var n_V1: D$8d64a7ad_b3aa12e7_ + var m_V1: D$8d64a7ad_b3aa12e7_ + var plaintext_V1: Slice[Ref] + var N86: Bool + var N85: Slice[Ref] + var nonceBytes_V1: Slice[Ref] + var N84: Slice[Ref] + var message_V1: ShStruct4[Ref, Ref, Ref, Ref] + var N83: Bool + var N82: ShStruct4[Ref, Ref, Ref, Ref] + var c_V1: D$9084e2f5_1186dc0d_ + var packet_V1: Slice[Ref] + var N81: D$fe170ee1_c3672ae3_ + var N80: D$9084e2f5_1186dc0d_ + var N79: Bool + var N78: Slice[Ref] + var pp_V1: D$9084e2f5_1186dc0d_ + var rid_V1: D$9084e2f5_1186dc0d_ + + // init rid_V1 + inhale rid_V1 == dfltD$9084e2f5_1186dc0d_() + + // rid_V1 = responder_V0_CN0.getRid() + rid_V1 := getRid_22e24f7d_PMResponder(responder_V0_CN0) + + // init pp_V1 + inhale pp_V1 == dfltD$9084e2f5_1186dc0d_() + + // pp_V1 = responder_V0_CN0.getPP() + pp_V1 := getPP_22e24f7d_PMResponder(responder_V0_CN0) + + // unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN4, rid_V1, s_V0_CN5)) + unfold acc(P_Resp_c0f0ff6b_F(t_V0_CN4, rid_V1, s_V0_CN5), write) + + // unfold acc(phiRF_Resp_9_c0f0ff6b_F(t_V0_CN4, rid_V1, s_V0_CN5)) + unfold acc(phiRF_Resp_9_c0f0ff6b_F(t_V0_CN4, rid_V1, s_V0_CN5), write) + + // s1_V0_CN9 = s_V0_CN5 union mset[Fact_3e61b158_T] { InFact_Resp_3e61b158_F(rid_V1, get_e_InFact_r1_c0f0ff6b_F(t_V0_CN4, rid_V1)) } + s1_V0_CN9 := (s_V0_CN5 union Multiset(InFact_Resp_3e61b158_F(rid_V1, get_e_InFact_r1_c0f0ff6b_F(t_V0_CN4, rid_V1)))) + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // N78, N79, N80, N81 = &*responder_V0_CN0.LibStateAReceive(t_V0_CN4, rid_V1) + N78, N79, N80, N81 := Receive_c7a67a88_PMLibraryState((ShStructget0of4(responder_V0_CN0): ShStruct4[Ref, Ref, Ref, Ref]), t_V0_CN4, rid_V1) + + // init packet_V1 + inhale packet_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // init c_V1 + inhale c_V1 == dfltD$9084e2f5_1186dc0d_() + + // packet_V1 = N78 + packet_V1 := N78 + + // ok_V0_CN7 = N79 + ok_V0_CN7 := N79 + + // c_V1 = N80 + c_V1 := N80 + + // t1_V0_CN8 = N81 + t1_V0_CN8 := N81 + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // s1_V0_CN9 = s_V0_CN5 + s1_V0_CN9 := s_V0_CN5 + + // fold acc(phiRF_Resp_9_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + fold acc(phiRF_Resp_9_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // fold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + fold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // return + goto returnLabel + } + + // N82, N83 = UnmarshalMessage_c7a67a88_F(packet_V1) + N82, N83 := UnmarshalMessage_c7a67a88_F(packet_V1) + + // init message_V1 + inhale message_V1 == shStructDefault_$TypeA_Intuint32$$$_S_$$$_ReceiverA_Intuint32$$$_S_$$$_NonceA_Intuint64$$$_S_$$$_PayloadA_DefinedByteString_c7a67a88_T$$$_S_$$$$() + + // message_V1 = N82 + message_V1 := N82 + + // ok_V0_CN7 = N83 + ok_V0_CN7 := N83 + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // ok_V0_CN7 = *message_V1.TypeA == 4 + ok_V0_CN7 := (ShStructget0of4(message_V1): Ref).val$_Int == 4 + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + unfold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // unfold acc(HandshakeArgsMem_c7a67a88_F(&*responder_V0_CN0.HandshakeInfoA), 1/8) + unfold acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), 1 / 8) + + // ok_V0_CN7 = *responder_V0_CN0.HandshakeInfoA.LocalIndexA == *message_V1.ReceiverA + ok_V0_CN7 := (ShStructget2of5((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])): Ref).val$_Int == (ShStructget1of4(message_V1): Ref).val$_Int + + // fold acc(HandshakeArgsMem_c7a67a88_F(&*responder_V0_CN0.HandshakeInfoA), 1/8) + fold acc(HandshakeArgsMem_c7a67a88_F((ShStructget1of4(responder_V0_CN0): ShStruct5[Ref, Ref, Ref, Ref, Ref])), 1 / 8) + + // fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1/8) + fold acc(ResponderMem_22e24f7d_F(responder_V0_CN0), 1 / 8) + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // N84 = NonceToBytes_c7a67a88_F(*message_V1.NonceA) + N84 := NonceToBytes_c7a67a88_F((ShStructget2of4(message_V1): Ref).val$_Int) + + // init nonceBytes_V1 + inhale nonceBytes_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // nonceBytes_V1 = N84 + nonceBytes_V1 := N84 + + // unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1/8) + unfold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1 / 8) + + // N85, N86 = AeadDec_c7a67a88_F(*conn_V0_CN1.RecvKeyA, nonceBytes_V1, *message_V1.PayloadA, (nil:ByteString_c7a67a88_T)) + N85, N86 := AeadDec_c7a67a88_F((ShStructget2of4(conn_V0_CN1): Ref).val$_Slice_Ref, nonceBytes_V1, (ShStructget3of4(message_V1): Ref).val$_Slice_Ref, sliceDefault_Intbyte$$$_S_$$$()) + + // init plaintext_V1 + inhale plaintext_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // plaintext_V1 = N85 + plaintext_V1 := N85 + + // ok_V0_CN7 = N86 + ok_V0_CN7 := N86 + + // fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1/8) + fold acc(ConnectionMem_c7a67a88_F(conn_V0_CN1), 1 / 8) + + // if(!ok_V0_CN7) {...} else {...} + if (!ok_V0_CN7) { + + // decl + + // return + goto returnLabel + } + + // init m_V1 + inhale m_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // m_V1 = Abs_c7a67a88_F(plaintext_V1) + m_V1 := Abs_c7a67a88_F(plaintext_V1) + + // init n_V1 + inhale n_V1 == dfltD$8d64a7ad_b3aa12e7_() + + // n_V1 = integer64B_b3aa12e7_F(*message_V1.NonceA) + n_V1 := integer64B_b3aa12e7_F((ShStructget2of4(message_V1): Ref).val$_Int) + + // N91, N92 = patternProperty4_8142c2d2_F(rid_V1, pp_V1, v_V0_CN3[0], v_V0_CN3[5], v_V0_CN3[4], oneTerm_b3aa12e7_F(n_V1), oneTerm_b3aa12e7_F(m_V1), c_V1, t1_V0_CN8, s1_V0_CN9, false) + N91, N92 := patternProperty4_8142c2d2_F(rid_V1, pp_V1, v_V0_CN3[0], v_V0_CN3[5], v_V0_CN3[4], oneTerm_b3aa12e7_F(n_V1), oneTerm_b3aa12e7_F(m_V1), c_V1, t1_V0_CN8, s1_V0_CN9, false) + + // init nX_V1 + inhale nX_V1 == dfltD$9084e2f5_1186dc0d_() + + // init mX_V1 + inhale mX_V1 == dfltD$9084e2f5_1186dc0d_() + + // nX_V1 = N91 + nX_V1 := N91 + + // mX_V1 = N92 + mX_V1 := N92 + + // if(q_V0_CN2) {...} else {...} + if (q_V0_CN2) { + + // decl Q4sidR_V3: Term_1186dc0d_T°, Q4a_V3: Term_1186dc0d_T°, Q4b_V3: Term_1186dc0d_T°, Q4prologue_V3: Term_1186dc0d_T°, Q4info_V3: Term_1186dc0d_T°, Q4sidI_V3: Term_1186dc0d_T°, Q4kIR_V3: Term_1186dc0d_T°, Q4kRI_V3: Term_1186dc0d_T°, Q4x_V3: Term_1186dc0d_T°, Q4n_V3: Term_1186dc0d_T°, Q4p_V3: Term_1186dc0d_T°, l_V3: mset[Fact_3e61b158_T]°, a_V3: mset[Claim_2716b91c_T]°, r_V3: mset[Fact_3e61b158_T]°, N109: Place_c3672ae3_T° + var N109: D$fe170ee1_c3672ae3_ + var r_V3: Multiset[D$226445f2_3e61b158_] + var a_V3: Multiset[D$46be403b_2716b91c_] + var l_V3: Multiset[D$226445f2_3e61b158_] + var Q4p_V3: D$9084e2f5_1186dc0d_ + var Q4n_V3: D$9084e2f5_1186dc0d_ + var Q4x_V3: D$9084e2f5_1186dc0d_ + var Q4kRI_V3: D$9084e2f5_1186dc0d_ + var Q4kIR_V3: D$9084e2f5_1186dc0d_ + var Q4sidI_V3: D$9084e2f5_1186dc0d_ + var Q4info_V3: D$9084e2f5_1186dc0d_ + var Q4prologue_V3: D$9084e2f5_1186dc0d_ + var Q4b_V3: D$9084e2f5_1186dc0d_ + var Q4a_V3: D$9084e2f5_1186dc0d_ + var Q4sidR_V3: D$9084e2f5_1186dc0d_ + + // init Q4sidR_V3 + inhale Q4sidR_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4sidR_V3 = rid_V1 + Q4sidR_V3 := rid_V1 + + // init Q4a_V3 + inhale Q4a_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4a_V3 = getFirst_d2674021_F(pp_V1) + Q4a_V3 := getFirst_d2674021_F(pp_V1) + + // init Q4b_V3 + inhale Q4b_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4b_V3 = getSecond_d2674021_F(pp_V1) + Q4b_V3 := getSecond_d2674021_F(pp_V1) + + // init Q4prologue_V3 + inhale Q4prologue_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4prologue_V3 = getThird_d2674021_F(pp_V1) + Q4prologue_V3 := getThird_d2674021_F(pp_V1) + + // init Q4info_V3 + inhale Q4info_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4info_V3 = getForth_d2674021_F(pp_V1) + Q4info_V3 := getForth_d2674021_F(pp_V1) + + // init Q4sidI_V3 + inhale Q4sidI_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4sidI_V3 = v_V0_CN3[0] + Q4sidI_V3 := v_V0_CN3[0] + + // init Q4kIR_V3 + inhale Q4kIR_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4kIR_V3 = v_V0_CN3[4] + Q4kIR_V3 := v_V0_CN3[4] + + // init Q4kRI_V3 + inhale Q4kRI_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4kRI_V3 = v_V0_CN3[5] + Q4kRI_V3 := v_V0_CN3[5] + + // init Q4x_V3 + inhale Q4x_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4x_V3 = rid_V1 + Q4x_V3 := rid_V1 + + // init Q4n_V3 + inhale Q4n_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4n_V3 = nX_V1 + Q4n_V3 := nX_V1 + + // init Q4p_V3 + inhale Q4p_V3 == dfltD$9084e2f5_1186dc0d_() + + // Q4p_V3 = mX_V1 + Q4p_V3 := mX_V1 + + // init l_V3 + inhale l_V3 == Multiset[D$226445f2_3e61b158_]() + + // l_V3 = InternalResp3L_d2674021_F(Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3) + l_V3 := InternalResp3L_d2674021_F(Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3) + + // init a_V3 + inhale a_V3 == Multiset[D$46be403b_2716b91c_]() + + // a_V3 = InternalResp3A_d2674021_F(Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3) + a_V3 := InternalResp3A_d2674021_F(Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3) + + // init r_V3 + inhale r_V3 == Multiset[D$226445f2_3e61b158_]() + + // r_V3 = InternalResp3R_d2674021_F(Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3) + r_V3 := InternalResp3R_d2674021_F(Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // unfold acc(phiR_Resp_2_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(phiR_Resp_2_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // N109 = internBIO_e_Receive_First_Resp_c0f0ff6b_F(t1_V0_CN8, Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3, l_V3, a_V3, r_V3) + N109 := internBIO_e_Receive_First_Resp_c0f0ff6b_F(t1_V0_CN8, Q4sidR_V3, Q4a_V3, Q4b_V3, Q4prologue_V3, Q4info_V3, Q4sidI_V3, Q4kIR_V3, Q4kRI_V3, Q4x_V3, Q4n_V3, Q4p_V3, l_V3, a_V3, r_V3) + + // t1_V0_CN8 = N109 + t1_V0_CN8 := N109 + + // s1_V0_CN9 = U_3e61b158_F(l_V3, r_V3, s1_V0_CN9) + s1_V0_CN9 := U_3e61b158_F(l_V3, r_V3, s1_V0_CN9) + } else { + + // decl Q5sidR_V2: Term_1186dc0d_T°, Q5a_V2: Term_1186dc0d_T°, Q5b_V2: Term_1186dc0d_T°, Q5prologue_V2: Term_1186dc0d_T°, Q5info_V2: Term_1186dc0d_T°, Q5sidI_V2: Term_1186dc0d_T°, Q5kIR_V2: Term_1186dc0d_T°, Q5kRI_V2: Term_1186dc0d_T°, Q5x_V2: Term_1186dc0d_T°, Q5nIR_V2: Term_1186dc0d_T°, Q5p_V2: Term_1186dc0d_T°, l_V2: mset[Fact_3e61b158_T]°, a_V2: mset[Claim_2716b91c_T]°, r_V2: mset[Fact_3e61b158_T]°, N100: Place_c3672ae3_T° + var N100: D$fe170ee1_c3672ae3_ + var r_V2: Multiset[D$226445f2_3e61b158_] + var a_V2: Multiset[D$46be403b_2716b91c_] + var l_V2: Multiset[D$226445f2_3e61b158_] + var Q5p_V2: D$9084e2f5_1186dc0d_ + var Q5nIR_V2: D$9084e2f5_1186dc0d_ + var Q5x_V2: D$9084e2f5_1186dc0d_ + var Q5kRI_V2: D$9084e2f5_1186dc0d_ + var Q5kIR_V2: D$9084e2f5_1186dc0d_ + var Q5sidI_V2: D$9084e2f5_1186dc0d_ + var Q5info_V2: D$9084e2f5_1186dc0d_ + var Q5prologue_V2: D$9084e2f5_1186dc0d_ + var Q5b_V2: D$9084e2f5_1186dc0d_ + var Q5a_V2: D$9084e2f5_1186dc0d_ + var Q5sidR_V2: D$9084e2f5_1186dc0d_ + + // init Q5sidR_V2 + inhale Q5sidR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5sidR_V2 = rid_V1 + Q5sidR_V2 := rid_V1 + + // init Q5a_V2 + inhale Q5a_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5a_V2 = getFirst_d2674021_F(pp_V1) + Q5a_V2 := getFirst_d2674021_F(pp_V1) + + // init Q5b_V2 + inhale Q5b_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5b_V2 = getSecond_d2674021_F(pp_V1) + Q5b_V2 := getSecond_d2674021_F(pp_V1) + + // init Q5prologue_V2 + inhale Q5prologue_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5prologue_V2 = getThird_d2674021_F(pp_V1) + Q5prologue_V2 := getThird_d2674021_F(pp_V1) + + // init Q5info_V2 + inhale Q5info_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5info_V2 = getForth_d2674021_F(pp_V1) + Q5info_V2 := getForth_d2674021_F(pp_V1) + + // init Q5sidI_V2 + inhale Q5sidI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5sidI_V2 = v_V0_CN3[0] + Q5sidI_V2 := v_V0_CN3[0] + + // init Q5kIR_V2 + inhale Q5kIR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5kIR_V2 = v_V0_CN3[4] + Q5kIR_V2 := v_V0_CN3[4] + + // init Q5kRI_V2 + inhale Q5kRI_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5kRI_V2 = v_V0_CN3[5] + Q5kRI_V2 := v_V0_CN3[5] + + // init Q5x_V2 + inhale Q5x_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5x_V2 = rid_V1 + Q5x_V2 := rid_V1 + + // init Q5nIR_V2 + inhale Q5nIR_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5nIR_V2 = nX_V1 + Q5nIR_V2 := nX_V1 + + // init Q5p_V2 + inhale Q5p_V2 == dfltD$9084e2f5_1186dc0d_() + + // Q5p_V2 = mX_V1 + Q5p_V2 := mX_V1 + + // init l_V2 + inhale l_V2 == Multiset[D$226445f2_3e61b158_]() + + // l_V2 = InternalResp5L_d2674021_F(Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2) + l_V2 := InternalResp5L_d2674021_F(Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2) + + // init a_V2 + inhale a_V2 == Multiset[D$46be403b_2716b91c_]() + + // a_V2 = InternalResp5A_d2674021_F(Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2) + a_V2 := InternalResp5A_d2674021_F(Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2) + + // init r_V2 + inhale r_V2 == Multiset[D$226445f2_3e61b158_]() + + // r_V2 = InternalResp5R_d2674021_F(Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2) + r_V2 := InternalResp5R_d2674021_F(Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2) + + // unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(P_Resp_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // unfold acc(phiR_Resp_4_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9)) + unfold acc(phiR_Resp_4_c0f0ff6b_F(t1_V0_CN8, rid_V1, s1_V0_CN9), write) + + // N100 = internBIO_e_Receive_Resp_Loop_c0f0ff6b_F(t1_V0_CN8, Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2, l_V2, a_V2, r_V2) + N100 := internBIO_e_Receive_Resp_Loop_c0f0ff6b_F(t1_V0_CN8, Q5sidR_V2, Q5a_V2, Q5b_V2, Q5prologue_V2, Q5info_V2, Q5sidI_V2, Q5kIR_V2, Q5kRI_V2, Q5x_V2, Q5nIR_V2, Q5p_V2, l_V2, a_V2, r_V2) + + // t1_V0_CN8 = N100 + t1_V0_CN8 := N100 + + // s1_V0_CN9 = U_3e61b158_F(l_V2, r_V2, s1_V0_CN9) + s1_V0_CN9 := U_3e61b158_F(l_V2, r_V2, s1_V0_CN9) + } + + // N111 = CombineMsg_c7a67a88_F(*message_V1.TypeA, *message_V1.ReceiverA, *message_V1.NonceA, plaintext_V1) + N111 := CombineMsg_c7a67a88_F((ShStructget0of4(message_V1): Ref).val$_Int, (ShStructget1of4(message_V1): Ref).val$_Int, (ShStructget2of4(message_V1): Ref).val$_Int, plaintext_V1) + + // msg_V0_CN6 = N111 + msg_V0_CN6 := N111 + + // return + goto returnLabel + label returnLabel + + // msg_V0 = msg_V0_CN6 + msg_V0 := msg_V0_CN6 + + // ok_V0 = ok_V0_CN7 + ok_V0 := ok_V0_CN7 + + // t1_V0 = t1_V0_CN8 + t1_V0 := t1_V0_CN8 + + // s1_V0 = s1_V0_CN9 + s1_V0 := s1_V0_CN9 +} + +method panic_a4af0e5e_F(v_V0: Tuple2[Ref, Types]) + requires false + + +// decreases +method Error_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) returns (P0_PO0: Int) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf), write) + ensures acc(ErrorMem_a4af0e5e_SY$1dcebcb0_a4af0e5e_(thisItf), write) + + +method internBIO_e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Init_1_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, psk_V0, ekI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Init_1_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, psk_V0, ekI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, pkR_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Init_2_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0, sidR_V0, epkR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Init_2_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, kI_V0, pkR_V0, ekI_V0, psk_V0, c3_V0, h4_V0, sidR_V0, epkR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Send_First_Init_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Send_First_Init_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Send_First_Init_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Send_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Send_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidI_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Receive_Init_Loop_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, x_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Receive_Init_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidI_V0, a_V0, b_V0, prologue_V0, info_V0, sidR_V0, kIR_V0, kRI_V0, x_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, timestamp_V0: D$9084e2f5_1186dc0d_, mac1I_V0: D$9084e2f5_1186dc0d_, mac2I_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Resp_1_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, kR_V0, pkI_V0, psk_V0, sidI_V0, epkI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Resp_1_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, kR_V0, pkI_V0, psk_V0, sidI_V0, epkI_V0, timestamp_V0, mac1I_V0, mac2I_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, ekR_V0: D$9084e2f5_1186dc0d_, mac1R_V0: D$9084e2f5_1186dc0d_, mac2R_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Handshake_St_Resp_2_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0, ekR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Handshake_St_Resp_2_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, pkI_V0, kR_V0, epkI_V0, psk_V0, c3_V0, h4_V0, sidI_V0, ekR_V0, mac1R_V0, mac2R_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Receive_First_Resp_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, n_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Receive_First_Resp_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, n_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, nRI_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Send_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Send_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, nRI_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method internBIO_e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0: D$fe170ee1_c3672ae3_, sidR_V0: D$9084e2f5_1186dc0d_, a_V0: D$9084e2f5_1186dc0d_, b_V0: D$9084e2f5_1186dc0d_, prologue_V0: D$9084e2f5_1186dc0d_, info_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, kIR_V0: D$9084e2f5_1186dc0d_, kRI_V0: D$9084e2f5_1186dc0d_, x_V0: D$9084e2f5_1186dc0d_, nIR_V0: D$9084e2f5_1186dc0d_, p_V0: D$9084e2f5_1186dc0d_, tami_lp_V0: Multiset[D$226445f2_3e61b158_], tami_ap_V0: Multiset[D$46be403b_2716b91c_], tami_rp_V0: Multiset[D$226445f2_3e61b158_]) returns (tami_pp_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(tami_p_V0), write) && acc(e_Receive_Resp_Loop_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0), write) + ensures acc(token_c3672ae3_F(tami_pp_V0), write) && tami_pp_V0 == old(get_e_Receive_Resp_Loop_placeDst_c0f0ff6b_F(tami_p_V0, sidR_V0, a_V0, b_V0, prologue_V0, info_V0, sidI_V0, kIR_V0, kRI_V0, x_V0, nIR_V0, p_V0, tami_lp_V0, tami_ap_V0, tami_rp_V0)) + + +method GetInit0I_c7a67a88_F(a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Int, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Setup_Init_c0f0ff6b_F(t_V0, rid_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Init_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Init_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Setup_Init_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Init_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_Setup_Init_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Init_r2_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) ==> old(get_e_Setup_Init_r2_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0)) + + +method GetResp0R_c7a67a88_F(a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Int, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Setup_Resp_c0f0ff6b_F(t_V0, rid_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Resp_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) == gamma_b3aa12e7_F(old(get_e_Setup_Resp_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Setup_Resp_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Resp_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_Setup_Resp_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_Setup_Resp_r2_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) ==> old(get_e_Setup_Resp_r2_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0)) + + +method GetLtKBio_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], own_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_LtK_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(b2_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_LtK_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> Abs_c7a67a88_F(b2_V0) == gamma_b3aa12e7_F(old(get_e_LtK_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_LtK_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_LtK_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_LtK_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + + +method GetLtpKBio_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], other_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_LtpK_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(b2_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_LtpK_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> Abs_c7a67a88_F(b2_V0) == gamma_b3aa12e7_F(old(get_e_LtpK_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_LtpK_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_LtpK_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_LtpK_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + + +method GetPsKBio_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], a_V0: Int, b_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, b1_V0: Int, b2_V0: Int, b3_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_PsK_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(b3_V0), write) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) == gamma_b3aa12e7_F(old(get_e_PsK_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) == gamma_b3aa12e7_F(old(get_e_PsK_r2_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> Abs_c7a67a88_F(b3_V0) == gamma_b3aa12e7_F(old(get_e_PsK_r3_c0f0ff6b_F(t_V0, rid_V0))) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_PsK_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_PsK_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0))) ==> old(get_e_PsK_r1_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b1_V0)) + ensures ok_V0 ==> gamma_b3aa12e7_F(old(get_e_PsK_r2_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0))) ==> old(get_e_PsK_r2_c0f0ff6b_F(t_V0, rid_V0)) == pubTerm_1186dc0d_F(pub_integer32_db7e1422_F(b2_V0)) + + +method NewPrivateKey_c7a67a88_F(t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (key_V0: Slice[Ref], ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_FrFact_c0f0ff6b_F(t_V0, rid_V0), write) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(key_V0), write) && Size_c7a67a88_F(key_V0) == 32 + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_FrFact_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures ok_V0 ==> Abs_c7a67a88_F(key_V0) == gamma_b3aa12e7_F(old(get_e_FrFact_r1_c0f0ff6b_F(t_V0, rid_V0))) + + +method Timestamp_c7a67a88_F(t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (res_V0: Slice[Ref], t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Timestamp_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 12 + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Timestamp_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures Abs_c7a67a88_F(res_V0) == gamma_b3aa12e7_F(old(get_e_Timestamp_r1_c0f0ff6b_F(t_V0, rid_V0))) + + +method AddMac1_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref], b_V0: D$8d64a7ad_b3aa12e7_, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (mac1_V0: D$8d64a7ad_b3aa12e7_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_MAC_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) && Size_c7a67a88_F(msg_V0) == old(Size_c7a67a88_F(msg_V0)) + ensures mac1_V0 == gamma_b3aa12e7_F(old(get_e_MAC_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_MAC_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures old(Abs_c7a67a88_F(msg_V0)) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)) ==> Abs_c7a67a88_F(msg_V0) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), mac1_V0, zeroStringB_b3aa12e7_F(16)) + + +method AddMac2_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref], b_V0: D$8d64a7ad_b3aa12e7_, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (mac2_V0: D$8d64a7ad_b3aa12e7_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_MAC_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) && Size_c7a67a88_F(msg_V0) == old(Size_c7a67a88_F(msg_V0)) + ensures mac2_V0 == gamma_b3aa12e7_F(old(get_e_MAC_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_MAC_placeDst_c0f0ff6b_F(t_V0, rid_V0)) + ensures old(Abs_c7a67a88_F(msg_V0)) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), getSixthB_b3aa12e7_F(b_V0), zeroStringB_b3aa12e7_F(16)) ==> Abs_c7a67a88_F(msg_V0) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), getSixthB_b3aa12e7_F(b_V0), mac2_V0) + + +method GetCounter_c7a67a88_F(counter_V0: Int, t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (res_V0: Int, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Counter_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Counter_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && integer64B_b3aa12e7_F(res_V0) == gamma_b3aa12e7_F(old(get_e_Counter_r1_c0f0ff6b_F(t_V0, rid_V0))) + ensures gamma_b3aa12e7_F(old(get_e_Counter_r1_c0f0ff6b_F(t_V0, rid_V0))) == gamma_b3aa12e7_F(integer64_d2674021_F(res_V0)) ==> old(get_e_Counter_r1_c0f0ff6b_F(t_V0, rid_V0)) == integer64_d2674021_F(res_V0) + + +method NewLibraryState_c7a67a88_F(d_V0: Ref) returns (libState_V0: Tuple4[Ref, Int, Int, Int], args_V0: Tuple5[Slice[Ref], Slice[Ref], Int, Slice[Ref], Slice[Ref]], ok_V0: Bool) + + +method Receive_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (packet_V0: Slice[Ref], ok_V0: Bool, term_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_InFact_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(packet_V0), write) && gamma_b3aa12e7_F(term_V0) == Abs_c7a67a88_F(packet_V0) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_InFact_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && term_V0 == old(get_e_InFact_r1_c0f0ff6b_F(t_V0, rid_V0)) + ensures !ok_V0 ==> t1_V0 == t_V0 && acc(token_c3672ae3_F(t_V0), write) && acc(e_InFact_c0f0ff6b_F(t_V0, rid_V0), write) && get_e_InFact_placeDst_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_InFact_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && get_e_InFact_r1_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_InFact_r1_c0f0ff6b_F(t_V0, rid_V0)) + + +method GetPacket_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_) returns (res_V0: Slice[Ref], ok_V0: Bool, term_V0: D$9084e2f5_1186dc0d_, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_Message_c0f0ff6b_F(t_V0, rid_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(res_V0), write) && gamma_b3aa12e7_F(term_V0) == Abs_c7a67a88_F(res_V0) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_Message_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && term_V0 == old(get_e_Message_r1_c0f0ff6b_F(t_V0, rid_V0)) + ensures !ok_V0 ==> t1_V0 == t_V0 && acc(token_c3672ae3_F(t_V0), write) && acc(e_Message_c0f0ff6b_F(t_V0, rid_V0), write) && get_e_Message_placeDst_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_Message_placeDst_c0f0ff6b_F(t_V0, rid_V0)) && get_e_Message_r1_c0f0ff6b_F(t_V0, rid_V0) == old(get_e_Message_r1_c0f0ff6b_F(t_V0, rid_V0)) + + +method ReceiveRequest_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (req_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + + +method ReceiveResponse_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + + +method ReceiveMessage_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (response_V0: ShStruct4[Ref, Ref, Ref, Ref], ok_V0: Bool) + + +method receiveBuffer_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (P0_PO0: Slice[Ref], P1_PO0: Tuple2[Ref, Types]) + + +method getMsgType_c7a67a88_F(packet_V0: Slice[Ref]) returns (P0_PO0: Int) + + +method Send_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], packet_V0: Slice[Ref], t_V0: D$fe170ee1_c3672ae3_, rid_V0: D$9084e2f5_1186dc0d_, m_V0: D$9084e2f5_1186dc0d_) returns (ok_V0: Bool, t1_V0: D$fe170ee1_c3672ae3_) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + requires acc(token_c3672ae3_F(t_V0), write) && acc(e_OutFact_c0f0ff6b_F(t_V0, rid_V0, m_V0), write) && gamma_b3aa12e7_F(m_V0) == Abs_c7a67a88_F(packet_V0) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> acc(token_c3672ae3_F(t1_V0), write) && t1_V0 == old(get_e_OutFact_placeDst_c0f0ff6b_F(t_V0, rid_V0, m_V0)) + ensures !ok_V0 ==> t1_V0 == t_V0 && acc(token_c3672ae3_F(t_V0), write) && acc(e_OutFact_c0f0ff6b_F(t_V0, rid_V0, m_V0), write) && get_e_OutFact_placeDst_c0f0ff6b_F(t_V0, rid_V0, m_V0) == old(get_e_OutFact_placeDst_c0f0ff6b_F(t_V0, rid_V0, m_V0)) + + +method ConsumePacket_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref]) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), 1 / 16) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), 1 / 16) + + +method sendBuffer_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], buffer_V0: Slice[Ref]) returns (P0_PO0: Tuple2[Ref, Types]) + + +method PadMsg_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref]) returns (res_V0: Slice[Ref]) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) >= old(Size_c7a67a88_F(msg_V0)) + ensures Abs_c7a67a88_F(res_V0) == old(Abs_c7a67a88_F(msg_V0)) + + +method AddMacs_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Slice[Ref], b_V0: D$8d64a7ad_b3aa12e7_) returns (mac1_V0: Slice[Ref], mac2_V0: Slice[Ref]) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) && acc(Mem_c7a67a88_F(msg_V0), write) && Size_c7a67a88_F(msg_V0) == old(Size_c7a67a88_F(msg_V0)) + ensures acc(Mem_c7a67a88_F(mac1_V0), write) && acc(Mem_c7a67a88_F(mac2_V0), write) + ensures old(Abs_c7a67a88_F(msg_V0)) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), zeroStringB_b3aa12e7_F(16), zeroStringB_b3aa12e7_F(16)) ==> Abs_c7a67a88_F(msg_V0) == tuple7B_b3aa12e7_F(getFirstB_b3aa12e7_F(b_V0), getSecondB_b3aa12e7_F(b_V0), getThirdB_b3aa12e7_F(b_V0), getForthB_b3aa12e7_F(b_V0), getFifthB_b3aa12e7_F(b_V0), Abs_c7a67a88_F(mac1_V0), Abs_c7a67a88_F(mac2_V0)) + + +method Println_c7a67a88_PMLibraryState(libState_V0: ShStruct4[Ref, Ref, Ref, Ref], msg_V0: Int) + requires acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + ensures acc(LibMem_c7a67a88_F(libState_V0), 1 / 16) + + +method NewByteString_c7a67a88_F(n_V0: Int) returns (res_V0: Slice[Ref]) + requires n_V0 >= 0 + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == n_V0 + + +method WireGuardBytes_c7a67a88_F() returns (res_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(res_V0), write) + ensures Abs_c7a67a88_F(res_V0) == infoBytesB_b3aa12e7_F() + + +method PreludeBytes_c7a67a88_F() returns (res_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(res_V0), write) + ensures Abs_c7a67a88_F(res_V0) == prologueBytesB_b3aa12e7_F() + + +method ComputeSingleHash_c7a67a88_F(data_V0: Slice[Ref]) returns (res_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(data_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 32 + ensures Abs_c7a67a88_F(res_V0) == hashB__b3aa12e7_F(Abs_c7a67a88_F(data_V0)) + + +method ComputeHash_c7a67a88_F(dst_V0: Slice[Ref], h_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(h_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(dst_V0) == 32 && Size_c7a67a88_F(h_V0) == 32 + ensures acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(h_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(dst_V0) == 32 + ensures Abs_c7a67a88_F(dst_V0) == hashB_b3aa12e7_F(Abs_c7a67a88_F(h_V0), Abs_c7a67a88_F(data_V0)) + + +method ComputeHashInplace_c7a67a88_F(h_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(h_V0) == 32 + ensures acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(h_V0) == 32 + ensures Abs_c7a67a88_F(h_V0) == hashB_b3aa12e7_F(old(Abs_c7a67a88_F(h_V0)), Abs_c7a67a88_F(data_V0)) + + +method ComputeKDF1_c7a67a88_F(dst_V0: Slice[Ref], c_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(c_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(dst_V0) == 32 && Size_c7a67a88_F(c_V0) == 32 + ensures acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(c_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(dst_V0) == 32 + ensures Abs_c7a67a88_F(dst_V0) == kdf1B_b3aa12e7_F(Abs_c7a67a88_F(c_V0), Abs_c7a67a88_F(data_V0)) + + +method ComputeKDF1Inplace_c7a67a88_F(h_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(h_V0) == 32 + ensures acc(Mem_c7a67a88_F(h_V0), write) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(h_V0) == 32 + ensures Abs_c7a67a88_F(h_V0) == kdf1B_b3aa12e7_F(old(Abs_c7a67a88_F(h_V0)), Abs_c7a67a88_F(data_V0)) + + +method ComputeKDF2_c7a67a88_F(t0_V0: Slice[Ref], t1_V0: Slice[Ref], key_V0: Slice[Ref], input_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(t0_V0), write) && acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) + requires !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(input_V0), 1 / 16) + requires Size_c7a67a88_F(t0_V0) == 32 && Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(key_V0) == 32 + ensures acc(Mem_c7a67a88_F(t0_V0), write) && acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) + ensures !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(input_V0), 1 / 16) + ensures Size_c7a67a88_F(t0_V0) == 32 && Size_c7a67a88_F(t1_V0) == 32 + ensures !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> Abs_c7a67a88_F(t0_V0) == kdf1B_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(input_V0)) + ensures !(input_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> Abs_c7a67a88_F(t1_V0) == kdf2B_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(input_V0)) + ensures input_V0 == sliceDefault_Intbyte$$$_S_$$$() ==> Abs_c7a67a88_F(t0_V0) == kdf1B__b3aa12e7_F(Abs_c7a67a88_F(key_V0)) + ensures input_V0 == sliceDefault_Intbyte$$$_S_$$$() ==> Abs_c7a67a88_F(t1_V0) == kdf2B__b3aa12e7_F(Abs_c7a67a88_F(key_V0)) + + +method ComputeKDF2Inplace_c7a67a88_F(t1_V0: Slice[Ref], chainKey_V0: Slice[Ref], input_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + requires Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + ensures Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures Abs_c7a67a88_F(chainKey_V0) == kdf1B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + ensures Abs_c7a67a88_F(t1_V0) == kdf2B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + + +method ComputeKDF3Inplace_c7a67a88_F(t1_V0: Slice[Ref], t2_V0: Slice[Ref], chainKey_V0: Slice[Ref], input_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(t2_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + requires Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(t2_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures acc(Mem_c7a67a88_F(t1_V0), write) && acc(Mem_c7a67a88_F(t2_V0), write) && acc(Mem_c7a67a88_F(chainKey_V0), write) && acc(Mem_c7a67a88_F(input_V0), 1 / 16) + ensures Size_c7a67a88_F(t1_V0) == 32 && Size_c7a67a88_F(t2_V0) == 32 && Size_c7a67a88_F(chainKey_V0) == 32 + ensures Abs_c7a67a88_F(chainKey_V0) == kdf1B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + ensures Abs_c7a67a88_F(t1_V0) == kdf2B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + ensures Abs_c7a67a88_F(t2_V0) == kdf3B_b3aa12e7_F(old(Abs_c7a67a88_F(chainKey_V0)), Abs_c7a67a88_F(input_V0)) + + +method ComputeMac_c7a67a88_F(dst_V0: Slice[Ref], key_V0: Slice[Ref], data_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + requires Size_c7a67a88_F(dst_V0) == 16 && Size_c7a67a88_F(key_V0) == 32 + ensures acc(Mem_c7a67a88_F(dst_V0), write) && acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(data_V0), 1 / 16) + ensures Size_c7a67a88_F(dst_V0) == 16 + + +method PublicKey_c7a67a88_F(sk_V0: Slice[Ref]) returns (pk_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && Size_c7a67a88_F(sk_V0) == 32 + ensures acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk_V0), write) && Size_c7a67a88_F(pk_V0) == 32 + ensures Abs_c7a67a88_F(pk_V0) == expB_b3aa12e7_F(generatorB_b3aa12e7_F(), Abs_c7a67a88_F(sk_V0)) + + +method ComputeSharedSecret_c7a67a88_F(sk_V0: Slice[Ref], pk_V0: Slice[Ref]) returns (ss_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk_V0), 1 / 16) && Size_c7a67a88_F(sk_V0) == 32 && Size_c7a67a88_F(pk_V0) == 32 + ensures acc(Mem_c7a67a88_F(sk_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk_V0), 1 / 16) && acc(Mem_c7a67a88_F(ss_V0), write) && Size_c7a67a88_F(ss_V0) == 32 + ensures Abs_c7a67a88_F(ss_V0) == expB_b3aa12e7_F(Abs_c7a67a88_F(pk_V0), Abs_c7a67a88_F(sk_V0)) + + +method EqualsSlice_c7a67a88_F(pk1_V0: Slice[Ref], pk2_V0: Slice[Ref]) returns (res_V0: Bool) + requires acc(Mem_c7a67a88_F(pk1_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk2_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(pk1_V0), 1 / 16) && acc(Mem_c7a67a88_F(pk2_V0), 1 / 16) + ensures res_V0 == (Abs_c7a67a88_F(pk1_V0) == Abs_c7a67a88_F(pk2_V0)) + + +method RandUint32_c7a67a88_F() returns (v_V0: Int, success_V0: Bool) + + +method ZeroNonce_c7a67a88_F() returns (nonce_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(nonce_V0), write) && Size_c7a67a88_F(nonce_V0) == 12 + ensures Abs_c7a67a88_F(nonce_V0) == zeroStringB_b3aa12e7_F(12) + + +method SetZero_c7a67a88_F(arr_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(arr_V0), write) + ensures acc(Mem_c7a67a88_F(arr_V0), write) && Size_c7a67a88_F(arr_V0) == old(Size_c7a67a88_F(arr_V0)) + + +method IsZero_c7a67a88_F(val_V0: Slice[Ref]) returns (P0_PO0: Bool) + requires acc(Mem_c7a67a88_F(val_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(val_V0), 1 / 16) + + +method AeadEnc_c7a67a88_F(key_V0: Slice[Ref], nonce_V0: Slice[Ref], plaintext_V0: Slice[Ref], additionalData_V0: Slice[Ref]) returns (res_V0: Slice[Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) + requires !(plaintext_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(plaintext_V0), 1 / 16) + requires !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + requires Size_c7a67a88_F(key_V0) == 32 && Size_c7a67a88_F(nonce_V0) == 12 + ensures acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) + ensures !(plaintext_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(plaintext_V0), 1 / 16) + ensures !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == (plaintext_V0 == sliceDefault_Intbyte$$$_S_$$$() ? 0 : Size_c7a67a88_F(plaintext_V0)) + 16 + ensures ok_V0 ==> Abs_c7a67a88_F(res_V0) == aeadB_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(nonce_V0), SafeAbs_c7a67a88_F(plaintext_V0, 0), SafeAbs_c7a67a88_F(additionalData_V0, 0)) + + +method AeadDec_c7a67a88_F(key_V0: Slice[Ref], nonce_V0: Slice[Ref], ciphertext_V0: Slice[Ref], additionalData_V0: Slice[Ref]) returns (res_V0: Slice[Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) && acc(Mem_c7a67a88_F(ciphertext_V0), 1 / 16) + requires !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + requires Size_c7a67a88_F(key_V0) == 32 && Size_c7a67a88_F(nonce_V0) == 12 + ensures acc(Mem_c7a67a88_F(key_V0), 1 / 16) && acc(Mem_c7a67a88_F(nonce_V0), 1 / 16) && acc(Mem_c7a67a88_F(ciphertext_V0), 1 / 16) + ensures !(additionalData_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> acc(Mem_c7a67a88_F(additionalData_V0), 1 / 16) + ensures ok_V0 ==> acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == Size_c7a67a88_F(ciphertext_V0) - 16 + ensures ok_V0 ==> Abs_c7a67a88_F(ciphertext_V0) == aeadB_b3aa12e7_F(Abs_c7a67a88_F(key_V0), Abs_c7a67a88_F(nonce_V0), Abs_c7a67a88_F(res_V0), SafeAbs_c7a67a88_F(additionalData_V0, 0)) + + +method NonceToBytes_c7a67a88_F(nonce_V0: Int) returns (res_V0: Slice[Ref]) + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 12 + ensures Abs_c7a67a88_F(res_V0) == integer64B_b3aa12e7_F(nonce_V0) + + +method CombineMsg_c7a67a88_F(t_V0: Int, sid_V0: Int, nonce_V0: Int, payload_V0: Slice[Ref]) returns (res_V0: Slice[Ref]) + requires acc(Mem_c7a67a88_F(payload_V0), write) + ensures acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == old(Size_c7a67a88_F(payload_V0)) + 16 + + +method MarshalRequest_c7a67a88_F(req_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) returns (res_V0: Slice[Ref]) + requires acc(RequestMem_c7a67a88_F(req_V0), 1 / 16) + ensures acc(RequestMem_c7a67a88_F(req_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 148 + ensures RequestAbs_c7a67a88_F(req_V0) == Abs_c7a67a88_F(res_V0) + + +method UnmarshalRequest_c7a67a88_F(packet_V0: Slice[Ref]) returns (req_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> Size_c7a67a88_F(packet_V0) == 148 && acc(RequestMem_c7a67a88_F(req_V0), write) + ensures ok_V0 ==> Abs_c7a67a88_F(packet_V0) == RequestAbs_c7a67a88_F(req_V0) + + +method MarshalResponse_c7a67a88_F(response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref]) returns (res_V0: Slice[Ref]) + requires acc(ResponseMem_c7a67a88_F(response_V0), 1 / 16) + ensures acc(ResponseMem_c7a67a88_F(response_V0), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == 92 + ensures Abs_c7a67a88_F(res_V0) == ResponseAbs_c7a67a88_F(response_V0) + + +method UnmarshalResponse_c7a67a88_F(packet_V0: Slice[Ref]) returns (response_V0: ShStruct7[Ref, Ref, Ref, Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> Size_c7a67a88_F(packet_V0) == 92 && acc(ResponseMem_c7a67a88_F(response_V0), write) + ensures ok_V0 ==> Abs_c7a67a88_F(packet_V0) == ResponseAbs_c7a67a88_F(response_V0) + + +method MarshalMessage_c7a67a88_F(message_V0: ShStruct4[Ref, Ref, Ref, Ref]) returns (res_V0: Slice[Ref]) + requires true && acc((ShStructget0of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget1of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget2of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget3of4(message_V0): Ref).val$_Slice_Ref, 1 / 16) && acc(Mem_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref), 1 / 16) && Size_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref) >= 16 + ensures true && acc((ShStructget0of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget1of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget2of4(message_V0): Ref).val$_Int, 1 / 16) && acc((ShStructget3of4(message_V0): Ref).val$_Slice_Ref, 1 / 16) && acc(Mem_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref), 1 / 16) && acc(Mem_c7a67a88_F(res_V0), write) && Size_c7a67a88_F(res_V0) == Size_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref) + 16 + ensures Abs_c7a67a88_F(res_V0) == tuple4B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of4(message_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of4(message_V0): Ref).val$_Int), integer64B_b3aa12e7_F((ShStructget2of4(message_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref)) + + +method UnmarshalMessage_c7a67a88_F(packet_V0: Slice[Ref]) returns (message_V0: ShStruct4[Ref, Ref, Ref, Ref], ok_V0: Bool) + requires acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures acc(Mem_c7a67a88_F(packet_V0), 1 / 16) + ensures ok_V0 ==> Size_c7a67a88_F(packet_V0) >= 16 && (true && acc((ShStructget0of4(message_V0): Ref).val$_Int, write) && acc((ShStructget1of4(message_V0): Ref).val$_Int, write) && acc((ShStructget2of4(message_V0): Ref).val$_Int, write) && acc((ShStructget3of4(message_V0): Ref).val$_Slice_Ref, write)) && acc(Mem_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref), write) && Size_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref) == Size_c7a67a88_F(packet_V0) - 16 + ensures ok_V0 ==> Abs_c7a67a88_F(packet_V0) == tuple4B_b3aa12e7_F(integer32B_b3aa12e7_F((ShStructget0of4(message_V0): Ref).val$_Int), integer32B_b3aa12e7_F((ShStructget1of4(message_V0): Ref).val$_Int), integer64B_b3aa12e7_F((ShStructget2of4(message_V0): Ref).val$_Int), Abs_c7a67a88_F((ShStructget3of4(message_V0): Ref).val$_Slice_Ref)) + + +method patternRequirement1_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, ltpk_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_, x8_V0: D$9084e2f5_1186dc0d_, x9_V0: D$9084e2f5_1186dc0d_, x10_V0: D$9084e2f5_1186dc0d_, x11_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(St_Init_1_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), kI_V0, ltpk_V0, ekI_V0, psk_V0, c3_V0, h4_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M2_lin_35781e6d_F(rid_V0, sidR_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M2_lin_35781e6d_F(rid_V0, x1_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0, x8_V0, x9_V0, x10_V0, x11_V0) + ensures acc(patternRequirement1EPKRWitness_8142c2d2_F(x2_V0), write) + + +method patternRequirement1_2_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, ltpk_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, o_V0: D$9084e2f5_1186dc0d_) + requires acc(patternRequirement1EPKRWitness_8142c2d2_F(epkR_V0), write) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(St_Init_1_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), kI_V0, ltpk_V0, ekI_V0, psk_V0, c3_V0, h4_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M2_lin_35781e6d_F(rid_V0, sidR_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M2_lin_35781e6d_F(rid_V0, x1_V0, kI_V0, kI_V0, psk_V0, psk_V0, ekI_V0, ekI_V0, c3_V0, c3_V0, h4_V0, o_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, epkR_V0, x2_V0, x3_V0) + + +method patternRequirement3_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_, x6_V0: D$9084e2f5_1186dc0d_, x7_V0: D$9084e2f5_1186dc0d_, x8_V0: D$9084e2f5_1186dc0d_, x9_V0: D$9084e2f5_1186dc0d_, x10_V0: D$9084e2f5_1186dc0d_, x11_V0: D$9084e2f5_1186dc0d_, x12_V0: D$9084e2f5_1186dc0d_, x13_V0: D$9084e2f5_1186dc0d_, x14_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(Setup_Resp_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0))) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M1_lin_68d987ee_F(sidI_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, ts_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M1_lin_68d987ee_F(x1_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, x2_V0, x3_V0, x4_V0, x5_V0, x6_V0, x7_V0, x8_V0, x9_V0, x10_V0, x11_V0, x12_V0, x13_V0, x14_V0) + ensures acc(patternRequirement3EPKIWitness_8142c2d2_F(x2_V0), write) + + +method patternRequirement3_2_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, o_V0: D$9084e2f5_1186dc0d_) + requires acc(patternRequirement3EPKIWitness_8142c2d2_F(epkI_V0), write) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(Setup_Resp_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0))) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M1_lin_68d987ee_F(sidI_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, ts_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M1_lin_68d987ee_F(x1_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, kR_V0, pkI_V0, pkI_V0, pkI_V0, o_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, epkI_V0, x2_V0, x3_V0, x4_V0) + + +method patternRequirement4_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, ridOther_V0: D$9084e2f5_1186dc0d_, ownKey_V0: D$9084e2f5_1186dc0d_, foreignKey_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, msg_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_], isInitiator_V0: Bool) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) + requires isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires isInitiator_V0 ==> (Multiset(St_Init_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, ownKey_V0, foreignKey_V0)) subset s_V0) + requires !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires !isInitiator_V0 ==> (Multiset(St_Resp_2_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) || (Multiset(St_Resp_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, n_V0, aead_d2674021_F(foreignKey_V0, n_V0, msg_V0, zeroString_d2674021_F(0)))) + ensures acc(token_c3672ae3_F(p_V0), write) + ensures isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, x1_V0, aead_d2674021_F(foreignKey_V0, x2_V0, x3_V0, zeroString_d2674021_F(0))) + ensures acc(patternRequirement4NonceWitness_8142c2d2_F(x1_V0), write) + + +method patternRequirement4_2_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, ridOther_V0: D$9084e2f5_1186dc0d_, ownKey_V0: D$9084e2f5_1186dc0d_, foreignKey_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, msg_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_], isInitiator_V0: Bool) returns (x1_V0: D$9084e2f5_1186dc0d_, o_V0: D$9084e2f5_1186dc0d_) + requires acc(patternRequirement4NonceWitness_8142c2d2_F(n_V0), write) + requires acc(token_c3672ae3_F(p_V0), write) + requires isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires isInitiator_V0 ==> (Multiset(St_Init_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, ownKey_V0, foreignKey_V0)) subset s_V0) + requires !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires !isInitiator_V0 ==> (Multiset(St_Resp_2_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) || (Multiset(St_Resp_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, n_V0, aead_d2674021_F(foreignKey_V0, n_V0, msg_V0, zeroString_d2674021_F(0)))) + ensures acc(token_c3672ae3_F(p_V0), write) + ensures isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, o_V0, aead_d2674021_F(foreignKey_V0, n_V0, x1_V0, zeroString_d2674021_F(0))) + + +method patternProperty1_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kI_V0: D$9084e2f5_1186dc0d_, ltpk_V0: D$9084e2f5_1186dc0d_, psk_V0: D$9084e2f5_1186dc0d_, ekI_V0: D$9084e2f5_1186dc0d_, c3_V0: D$9084e2f5_1186dc0d_, h4_V0: D$9084e2f5_1186dc0d_, sidR_V0: D$9084e2f5_1186dc0d_, epkR_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(St_Init_1_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), kI_V0, ltpk_V0, ekI_V0, psk_V0, c3_V0, h4_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M2_35781e6d_F(rid_V0, sidR_V0, kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, epkR_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M2_35781e6d_F(rid_V0, x1_V0, kI_V0, psk_V0, ekI_V0, c3_V0, h4_V0, x2_V0, x3_V0, x4_V0) + + +method patternProperty3_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, kR_V0: D$9084e2f5_1186dc0d_, pkI_V0: D$9084e2f5_1186dc0d_, sidI_V0: D$9084e2f5_1186dc0d_, epkI_V0: D$9084e2f5_1186dc0d_, ts_V0: D$9084e2f5_1186dc0d_, mac1_V0: D$9084e2f5_1186dc0d_, mac2_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_]) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_, x3_V0: D$9084e2f5_1186dc0d_, x4_V0: D$9084e2f5_1186dc0d_, x5_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires (Multiset(Setup_Resp_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0))) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(Term_M1_68d987ee_F(sidI_V0, kR_V0, pkI_V0, epkI_V0, ts_V0, mac1_V0, mac2_V0)) + ensures acc(token_c3672ae3_F(p_V0), write) && acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == Term_M1_68d987ee_F(x1_V0, kR_V0, pkI_V0, x2_V0, x3_V0, x4_V0, x5_V0) + + +method patternProperty4_8142c2d2_F(rid_V0: D$9084e2f5_1186dc0d_, pp_V0: D$9084e2f5_1186dc0d_, ridOther_V0: D$9084e2f5_1186dc0d_, ownKey_V0: D$9084e2f5_1186dc0d_, foreignKey_V0: D$9084e2f5_1186dc0d_, n_V0: D$9084e2f5_1186dc0d_, msg_V0: D$9084e2f5_1186dc0d_, t_V0: D$9084e2f5_1186dc0d_, p_V0: D$fe170ee1_c3672ae3_, s_V0: Multiset[D$226445f2_3e61b158_], isInitiator_V0: Bool) returns (x1_V0: D$9084e2f5_1186dc0d_, x2_V0: D$9084e2f5_1186dc0d_) + requires acc(token_c3672ae3_F(p_V0), write) + requires isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires isInitiator_V0 ==> (Multiset(St_Init_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, ownKey_V0, foreignKey_V0)) subset s_V0) + requires !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + requires !isInitiator_V0 ==> (Multiset(St_Resp_2_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) || (Multiset(St_Resp_3_3e61b158_F(rid_V0, getFirst_d2674021_F(pp_V0), getSecond_d2674021_F(pp_V0), getThird_d2674021_F(pp_V0), getForth_d2674021_F(pp_V0), ridOther_V0, foreignKey_V0, ownKey_V0)) subset s_V0) + requires gamma_b3aa12e7_F(t_V0) == gamma_b3aa12e7_F(tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, n_V0, aead_d2674021_F(foreignKey_V0, n_V0, msg_V0, zeroString_d2674021_F(0)))) + ensures acc(token_c3672ae3_F(p_V0), write) + ensures isInitiator_V0 ==> acc(P_Init_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures !isInitiator_V0 ==> acc(P_Resp_c0f0ff6b_F(p_V0, rid_V0, s_V0), write) + ensures t_V0 == tuple4_d2674021_F(integer32_d2674021_F(4), rid_V0, x1_V0, aead_d2674021_F(foreignKey_V0, x1_V0, x2_V0, zeroString_d2674021_F(0))) diff --git a/src/test/resources/biabduction/frontends/gobra/scion_DecodeAddrHdr.vpr b/src/test/resources/biabduction/frontends/gobra/scion_DecodeAddrHdr.vpr new file mode 100644 index 00000000..2ef92bb1 --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/scion_DecodeAddrHdr.vpr @@ -0,0 +1,3749 @@ +domain ShStruct2[T0, T1] { + + function ShStructget1of2(x: ShStruct2[T0, T1]): T1 + + function ShStructget0of2(x: ShStruct2[T0, T1]): T0 + + function ShStructrev1of2(v1: T1): ShStruct2[T0, T1] + + function ShStructrev0of2(v0: T0): ShStruct2[T0, T1] + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget1of2(x): T1) } + (ShStructrev1of2((ShStructget1of2(x): T1)): ShStruct2[T0, T1]) == x) + } + + axiom { + (forall x: ShStruct2[T0, T1], y: ShStruct2[T0, T1] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of2(x): T0) == (ShStructget0of2(y): T0) && + (ShStructget1of2(x): T1) == (ShStructget1of2(y): T1))) + } + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget0of2(x): T0) } + (ShStructrev0of2((ShStructget0of2(x): T0)): ShStruct2[T0, T1]) == x) + } +} + +domain ShStruct0 { + + axiom { + (forall x: ShStruct0, y: ShStruct0 :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == true) + } +} + +domain Emb_4_Interfaceempty_interface$$$$_E_$$$ { + + +} + +domain ShStruct1[T0] { + + function ShStructget0of1(x: ShStruct1[T0]): T0 + + function ShStructrev0of1(v0: T0): ShStruct1[T0] + + axiom { + (forall x: ShStruct1[T0] :: + { (ShStructget0of1(x): T0) } + (ShStructrev0of1((ShStructget0of1(x): T0)): ShStruct1[T0]) == x) + } + + axiom { + (forall x: ShStruct1[T0], y: ShStruct1[T0] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of1(x): T0) == (ShStructget0of1(y): T0))) + } +} + +domain ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] { + + function ShStructget4of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T4 + + function ShStructget10of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T10 + + function ShStructrev4of17(v4: T4): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev10of17(v10: T10): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev13of17(v13: T13): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget5of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T5 + + function ShStructrev0of17(v0: T0): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev2of17(v2: T2): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev1of17(v1: T1): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget6of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T6 + + function ShStructrev15of17(v15: T15): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget7of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T7 + + function ShStructrev14of17(v14: T14): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget8of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T8 + + function ShStructrev7of17(v7: T7): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget2of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T2 + + function ShStructget11of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T11 + + function ShStructrev12of17(v12: T12): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget3of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T3 + + function ShStructrev11of17(v11: T11): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev9of17(v9: T9): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev8of17(v8: T8): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev5of17(v5: T5): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev3of17(v3: T3): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget16of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T16 + + function ShStructget14of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T14 + + function ShStructget13of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T13 + + function ShStructrev16of17(v16: T16): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev6of17(v6: T6): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget9of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T9 + + function ShStructget12of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T12 + + function ShStructget0of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T0 + + function ShStructget1of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T1 + + function ShStructget15of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T15 + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget10of17(x): T10) } + (ShStructrev10of17((ShStructget10of17(x): T10)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget1of17(x): T1) } + (ShStructrev1of17((ShStructget1of17(x): T1)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget2of17(x): T2) } + (ShStructrev2of17((ShStructget2of17(x): T2)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget16of17(x): T16) } + (ShStructrev16of17((ShStructget16of17(x): T16)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget8of17(x): T8) } + (ShStructrev8of17((ShStructget8of17(x): T8)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget3of17(x): T3) } + (ShStructrev3of17((ShStructget3of17(x): T3)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget12of17(x): T12) } + (ShStructrev12of17((ShStructget12of17(x): T12)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget7of17(x): T7) } + (ShStructrev7of17((ShStructget7of17(x): T7)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget11of17(x): T11) } + (ShStructrev11of17((ShStructget11of17(x): T11)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16], + y: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of17(x): T0) == (ShStructget0of17(y): T0) && + (ShStructget1of17(x): T1) == (ShStructget1of17(y): T1) && + (ShStructget2of17(x): T2) == (ShStructget2of17(y): T2) && + (ShStructget3of17(x): T3) == (ShStructget3of17(y): T3) && + (ShStructget4of17(x): T4) == (ShStructget4of17(y): T4) && + (ShStructget5of17(x): T5) == (ShStructget5of17(y): T5) && + (ShStructget6of17(x): T6) == (ShStructget6of17(y): T6) && + (ShStructget7of17(x): T7) == (ShStructget7of17(y): T7) && + (ShStructget8of17(x): T8) == (ShStructget8of17(y): T8) && + (ShStructget9of17(x): T9) == (ShStructget9of17(y): T9) && + (ShStructget10of17(x): T10) == (ShStructget10of17(y): T10) && + (ShStructget11of17(x): T11) == (ShStructget11of17(y): T11) && + (ShStructget12of17(x): T12) == (ShStructget12of17(y): T12) && + (ShStructget13of17(x): T13) == (ShStructget13of17(y): T13) && + (ShStructget14of17(x): T14) == (ShStructget14of17(y): T14) && + (ShStructget15of17(x): T15) == (ShStructget15of17(y): T15) && + (ShStructget16of17(x): T16) == (ShStructget16of17(y): T16))) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget4of17(x): T4) } + (ShStructrev4of17((ShStructget4of17(x): T4)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget5of17(x): T5) } + (ShStructrev5of17((ShStructget5of17(x): T5)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget15of17(x): T15) } + (ShStructrev15of17((ShStructget15of17(x): T15)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget6of17(x): T6) } + (ShStructrev6of17((ShStructget6of17(x): T6)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget9of17(x): T9) } + (ShStructrev9of17((ShStructget9of17(x): T9)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget0of17(x): T0) } + (ShStructrev0of17((ShStructget0of17(x): T0)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget14of17(x): T14) } + (ShStructrev14of17((ShStructget14of17(x): T14)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget13of17(x): T13) } + (ShStructrev13of17((ShStructget13of17(x): T13)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } +} + +domain Types { + + unique function Y$60c7bddc_b41831d7__Types_tag(): Int + + function IPAddr_5c610647_T_Types(): Types + + function Payload_b41831d7_T_Types(): Types + + function tag_Types(t: Types): Int + + function L4ProtocolType_840d9458_T_Types(): Types + + function integer_Types(): Types + + unique function Y$febd64e7_b41831d7__Types_tag(): Int + + unique function SCION_840d9458_T_Types_tag(): Int + + unique function Y$35202e5_cd675838__Types_tag(): Int + + unique function SCMPDestinationUnreachable_840d9458_T_Types_tag(): Int + + unique function BFD_6416454f_T_Types_tag(): Int + + unique function SCMP_840d9458_T_Types_tag(): Int + + function HostIPv6_cd675838_T_Types(): Types + + function byte_Types(): Types + + unique function UDPAddr_5c610647_T_Types_tag(): Int + + function Y$60c7bddc_b41831d7__Types(): Types + + unique function Y$3191b69e_b41831d7__Types_tag(): Int + + function EndToEndExtnSkipper_840d9458_T_Types(): Types + + function slice_Types(p0: Types): Types + + unique function SCMPPacketTooBig_840d9458_T_Types_tag(): Int + + unique function Path_c6e60a1d_T_Types_tag(): Int + + unique function HostIPv6_cd675838_T_Types_tag(): Int + + unique function Y$53a71dc3_5c610647__Types_tag(): Int + + function Raw_daeaf66a_T_Types(): Types + + unique function SCMPTypeCode_840d9458_T_Types_tag(): Int + + unique function Y$9127f611_b41831d7__Types_tag(): Int + + function BFD_6416454f_T_Types(): Types + + unique function IA_cd675838_T_Types_tag(): Int + + unique function integer_Types_tag(): Int + + unique function EndToEndExtnSkipper_840d9458_T_Types_tag(): Int + + unique function int_Types_tag(): Int + + function Path_c385169_T_Types(): Types + + unique function nil_Types_tag(): Int + + function SCMPType_840d9458_T_Types(): Types + + function Y$c2e55be_72f0d887__Types(): Types + + function SCMPInternalConnectivityDown_840d9458_T_Types(): Types + + function nil_Types(): Types + + unique function SCMPCode_840d9458_T_Types_tag(): Int + + unique function Y$9c78df5f_b41831d7__Types_tag(): Int + + unique function HostIPv4_cd675838_T_Types_tag(): Int + + function HostNone_cd675838_T_Types(): Types + + function Y$9127f611_b41831d7__Types(): Types + + unique function AS_cd675838_T_Types_tag(): Int + + function SCMPPacketTooBig_840d9458_T_Types(): Types + + unique function Decoded_daeaf66a_T_Types_tag(): Int + + function LayerType_b41831d7_T_Types(): Types + + unique function SCMPInternalConnectivityDown_840d9458_T_Types_tag(): Int + + function HopByHopExtnSkipper_840d9458_T_Types(): Types + + function Y$53a71dc3_5c610647__Types(): Types + + unique function slice_Types_tag(): Int + + function Y$9c78df5f_b41831d7__Types(): Types + + unique function string_Types_tag(): Int + + function bigEndian_72f0d887_T_Types(): Types + + function get_0_pointer_Types(t: Types): Types + + unique function Y$558431e4_a6ceb89d__Types_tag(): Int + + function Y$b28ae4_ac87dd1d__Types(): Types + + unique function SCMPTraceroute_840d9458_T_Types_tag(): Int + + function uint16_Types(): Types + + function SCMPParameterProblem_840d9458_T_Types(): Types + + unique function Y$49c4c25f_d3743b4f__Types_tag(): Int + + unique function Y$b28ae4_ac87dd1d__Types_tag(): Int + + function Path_4cddb96f_T_Types(): Types + + function SCMPCode_840d9458_T_Types(): Types + + function empty_interface_Types(): Types + + unique function SCMPExternalInterfaceDown_840d9458_T_Types_tag(): Int + + function nilDecodeFeedback_b41831d7_T_Types(): Types + + function string_Types(): Types + + function Y$68d3cee9_b41831d7__Types(): Types + + unique function LayerType_b41831d7_T_Types_tag(): Int + + unique function Y$68d3cee9_b41831d7__Types_tag(): Int + + function AddrType_840d9458_T_Types(): Types + + unique function Payload_b41831d7_T_Types_tag(): Int + + unique function AddrType_840d9458_T_Types_tag(): Int + + function SCION_840d9458_T_Types(): Types + + function HopByHopExtn_840d9458_T_Types(): Types + + unique function SCMPType_840d9458_T_Types_tag(): Int + + unique function IPAddr_5c610647_T_Types_tag(): Int + + unique function uint16_Types_tag(): Int + + unique function L4ProtocolType_840d9458_T_Types_tag(): Int + + unique function nilDecodeFeedback_b41831d7_T_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + function Path_c6e60a1d_T_Types(): Types + + function Y$35202e5_cd675838__Types(): Types + + unique function byte_Types_tag(): Int + + function SCMPTraceroute_840d9458_T_Types(): Types + + function Y$6914870a_b41831d7__Types(): Types + + function SCMPExternalInterfaceDown_840d9458_T_Types(): Types + + function HostSVC_cd675838_T_Types(): Types + + unique function Raw_daeaf66a_T_Types_tag(): Int + + function pointer_Types(p0: Types): Types + + unique function HostNone_cd675838_T_Types_tag(): Int + + function IA_cd675838_T_Types(): Types + + unique function Y$17800ab4_b41831d7__Types_tag(): Int + + unique function pointer_Types_tag(): Int + + function AS_cd675838_T_Types(): Types + + unique function empty_interface_Types_tag(): Int + + function Y$febd64e7_b41831d7__Types(): Types + + function EndToEndExtn_840d9458_T_Types(): Types + + unique function Y$8f734176_14a7fb6d__Types_tag(): Int + + unique function Path_4cddb96f_T_Types_tag(): Int + + unique function littleEndian_72f0d887_T_Types_tag(): Int + + function HostIPv4_cd675838_T_Types(): Types + + unique function SCMPEcho_840d9458_T_Types_tag(): Int + + function SCMPTypeCode_840d9458_T_Types(): Types + + function littleEndian_72f0d887_T_Types(): Types + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + unique function Y$6914870a_b41831d7__Types_tag(): Int + + unique function rawPath_a6ceb89d_T_Types_tag(): Int + + unique function HopByHopExtnSkipper_840d9458_T_Types_tag(): Int + + function SCMPDestinationUnreachable_840d9458_T_Types(): Types + + function Y$17800ab4_b41831d7__Types(): Types + + function rawPath_a6ceb89d_T_Types(): Types + + function Y$8f734176_14a7fb6d__Types(): Types + + unique function Path_c385169_T_Types_tag(): Int + + unique function EndToEndExtn_840d9458_T_Types_tag(): Int + + function SCMP_840d9458_T_Types(): Types + + function SCMPEcho_840d9458_T_Types(): Types + + function Y$3191b69e_b41831d7__Types(): Types + + function Y$49c4c25f_d3743b4f__Types(): Types + + function UDPAddr_5c610647_T_Types(): Types + + function int_Types(): Types + + function Decoded_daeaf66a_T_Types(): Types + + unique function HostSVC_cd675838_T_Types_tag(): Int + + unique function bigEndian_72f0d887_T_Types_tag(): Int + + unique function SCMPParameterProblem_840d9458_T_Types_tag(): Int + + unique function HopByHopExtn_840d9458_T_Types_tag(): Int + + function Y$558431e4_a6ceb89d__Types(): Types + + unique function Y$c2e55be_72f0d887__Types_tag(): Int + + axiom { + tag_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + SCMPDestinationUnreachable_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Path_c385169_T_Types()) == true + } + + axiom { + comparableType_Types(Raw_daeaf66a_T_Types()) == true + } + + axiom { + comparableType_Types(Y$17800ab4_b41831d7__Types()) == false + } + + axiom { + tag_Types(Y$53a71dc3_5c610647__Types()) == + Y$53a71dc3_5c610647__Types_tag() + } + + axiom { + comparableType_Types(int_Types()) == true + } + + axiom { + tag_Types(SCMPCode_840d9458_T_Types()) == + SCMPCode_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCION_840d9458_T_Types()) == SCION_840d9458_T_Types_tag() + } + + axiom { + tag_Types(HostIPv6_cd675838_T_Types()) == + HostIPv6_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(AS_cd675838_T_Types()) == true + } + + axiom { + tag_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + SCMPInternalConnectivityDown_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$3191b69e_b41831d7__Types()) == false + } + + axiom { + tag_Types(SCMPPacketTooBig_840d9458_T_Types()) == + SCMPPacketTooBig_840d9458_T_Types_tag() + } + + axiom { + tag_Types(EndToEndExtn_840d9458_T_Types()) == + EndToEndExtn_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(LayerType_b41831d7_T_Types()) == true + } + + axiom { + tag_Types(HopByHopExtnSkipper_840d9458_T_Types()) == + HopByHopExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$558431e4_a6ceb89d__Types()) == false + } + + axiom { + comparableType_Types(littleEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(Y$53a71dc3_5c610647__Types()) == false + } + + axiom { + (forall p0: Types :: + { slice_Types(p0) } + tag_Types(slice_Types(p0)) == slice_Types_tag()) + } + + axiom { + tag_Types(BFD_6416454f_T_Types()) == BFD_6416454f_T_Types_tag() + } + + axiom { + tag_Types(Path_c6e60a1d_T_Types()) == Path_c6e60a1d_T_Types_tag() + } + + axiom { + comparableType_Types(SCION_840d9458_T_Types()) == true + } + + axiom { + tag_Types(uint16_Types()) == uint16_Types_tag() + } + + axiom { + tag_Types(HostSVC_cd675838_T_Types()) == HostSVC_cd675838_T_Types_tag() + } + + axiom { + tag_Types(IPAddr_5c610647_T_Types()) == IPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(nilDecodeFeedback_b41831d7_T_Types()) == true + } + + axiom { + tag_Types(Y$9c78df5f_b41831d7__Types()) == + Y$9c78df5f_b41831d7__Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + comparableType_Types(HostIPv4_cd675838_T_Types()) == false + } + + axiom { + tag_Types(SCMPParameterProblem_840d9458_T_Types()) == + SCMPParameterProblem_840d9458_T_Types_tag() + } + + axiom { + (forall p0: Types :: + { comparableType_Types(slice_Types(p0)) } + comparableType_Types(slice_Types(p0)) == false) + } + + axiom { + (forall x0: Types :: + { pointer_Types(x0) } + get_0_pointer_Types(pointer_Types(x0)) == x0) + } + + axiom { + comparableType_Types(uint16_Types()) == true + } + + axiom { + tag_Types(Y$68d3cee9_b41831d7__Types()) == + Y$68d3cee9_b41831d7__Types_tag() + } + + axiom { + tag_Types(integer_Types()) == integer_Types_tag() + } + + axiom { + comparableType_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(SCMPEcho_840d9458_T_Types()) == + SCMPEcho_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$c2e55be_72f0d887__Types()) == false + } + + axiom { + comparableType_Types(AddrType_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(EndToEndExtn_840d9458_T_Types()) == true + } + + axiom { + tag_Types(string_Types()) == string_Types_tag() + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + tag_Types(Y$6914870a_b41831d7__Types()) == + Y$6914870a_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(rawPath_a6ceb89d_T_Types()) == true + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + comparableType_Types(Y$9127f611_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(Y$49c4c25f_d3743b4f__Types()) == false + } + + axiom { + comparableType_Types(SCMPType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$60c7bddc_b41831d7__Types()) == + Y$60c7bddc_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(SCMP_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(HopByHopExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + tag_Types(HostNone_cd675838_T_Types()) == + HostNone_cd675838_T_Types_tag() + } + + axiom { + (forall p0: Types :: + { comparableType_Types(pointer_Types(p0)) } + comparableType_Types(pointer_Types(p0)) == true) + } + + axiom { + comparableType_Types(SCMPParameterProblem_840d9458_T_Types()) == true + } + + axiom { + tag_Types(UDPAddr_5c610647_T_Types()) == UDPAddr_5c610647_T_Types_tag() + } + + axiom { + tag_Types(Payload_b41831d7_T_Types()) == Payload_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(Path_4cddb96f_T_Types()) == Path_4cddb96f_T_Types_tag() + } + + axiom { + comparableType_Types(bigEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(Y$6914870a_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(Y$35202e5_cd675838__Types()) == false + } + + axiom { + tag_Types(Y$35202e5_cd675838__Types()) == + Y$35202e5_cd675838__Types_tag() + } + + axiom { + comparableType_Types(integer_Types()) == true + } + + axiom { + comparableType_Types(byte_Types()) == true + } + + axiom { + tag_Types(SCMPType_840d9458_T_Types()) == + SCMPType_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(L4ProtocolType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + tag_Types(nilDecodeFeedback_b41831d7_T_Types()) == + nilDecodeFeedback_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + SCMPExternalInterfaceDown_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(BFD_6416454f_T_Types()) == true + } + + axiom { + tag_Types(Y$9127f611_b41831d7__Types()) == + Y$9127f611_b41831d7__Types_tag() + } + + axiom { + tag_Types(AS_cd675838_T_Types()) == AS_cd675838_T_Types_tag() + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } + + axiom { + tag_Types(LayerType_b41831d7_T_Types()) == + LayerType_b41831d7_T_Types_tag() + } + + axiom { + comparableType_Types(Path_c6e60a1d_T_Types()) == true + } + + axiom { + tag_Types(HopByHopExtn_840d9458_T_Types()) == + HopByHopExtn_840d9458_T_Types_tag() + } + + axiom { + tag_Types(rawPath_a6ceb89d_T_Types()) == rawPath_a6ceb89d_T_Types_tag() + } + + axiom { + tag_Types(IA_cd675838_T_Types()) == IA_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(Y$60c7bddc_b41831d7__Types()) == false + } + + axiom { + tag_Types(SCMPTraceroute_840d9458_T_Types()) == + SCMPTraceroute_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Decoded_daeaf66a_T_Types()) == true + } + + axiom { + tag_Types(Y$b28ae4_ac87dd1d__Types()) == Y$b28ae4_ac87dd1d__Types_tag() + } + + axiom { + tag_Types(SCMP_840d9458_T_Types()) == SCMP_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPTraceroute_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$9c78df5f_b41831d7__Types()) == false + } + + axiom { + tag_Types(Y$c2e55be_72f0d887__Types()) == + Y$c2e55be_72f0d887__Types_tag() + } + + axiom { + comparableType_Types(IPAddr_5c610647_T_Types()) == true + } + + axiom { + tag_Types(EndToEndExtnSkipper_840d9458_T_Types()) == + EndToEndExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Path_c385169_T_Types()) == Path_c385169_T_Types_tag() + } + + axiom { + tag_Types(int_Types()) == int_Types_tag() + } + + axiom { + tag_Types(SCMPTypeCode_840d9458_T_Types()) == + SCMPTypeCode_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(HostIPv6_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + tag_Types(Y$febd64e7_b41831d7__Types()) == + Y$febd64e7_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$8f734176_14a7fb6d__Types()) == + Y$8f734176_14a7fb6d__Types_tag() + } + + axiom { + comparableType_Types(UDPAddr_5c610647_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { pointer_Types(p0) } + tag_Types(pointer_Types(p0)) == pointer_Types_tag()) + } + + axiom { + comparableType_Types(Y$68d3cee9_b41831d7__Types()) == false + } + + axiom { + tag_Types(AddrType_840d9458_T_Types()) == + AddrType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(HostIPv4_cd675838_T_Types()) == + HostIPv4_cd675838_T_Types_tag() + } + + axiom { + tag_Types(Y$558431e4_a6ceb89d__Types()) == + Y$558431e4_a6ceb89d__Types_tag() + } + + axiom { + comparableType_Types(SCMPCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(L4ProtocolType_840d9458_T_Types()) == + L4ProtocolType_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Payload_b41831d7_T_Types()) == false + } + + axiom { + comparableType_Types(Y$b28ae4_ac87dd1d__Types()) == false + } + + axiom { + tag_Types(littleEndian_72f0d887_T_Types()) == + littleEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPEcho_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$3191b69e_b41831d7__Types()) == + Y$3191b69e_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(string_Types()) == true + } + + axiom { + tag_Types(bigEndian_72f0d887_T_Types()) == + bigEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(HostSVC_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(IA_cd675838_T_Types()) == true + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + comparableType_Types(Y$febd64e7_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(EndToEndExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPTypeCode_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(HostNone_cd675838_T_Types()) == false + } + + axiom { + tag_Types(Raw_daeaf66a_T_Types()) == Raw_daeaf66a_T_Types_tag() + } + + axiom { + comparableType_Types(HopByHopExtn_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$49c4c25f_d3743b4f__Types()) == + Y$49c4c25f_d3743b4f__Types_tag() + } + + axiom { + comparableType_Types(SCMPPacketTooBig_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$8f734176_14a7fb6d__Types()) == false + } + + axiom { + comparableType_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(Y$17800ab4_b41831d7__Types()) == + Y$17800ab4_b41831d7__Types_tag() + } + + axiom { + tag_Types(Decoded_daeaf66a_T_Types()) == Decoded_daeaf66a_T_Types_tag() + } + + axiom { + tag_Types(byte_Types()) == byte_Types_tag() + } + + axiom { + comparableType_Types(Path_4cddb96f_T_Types()) == true + } +} + +domain Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ { + + +} + +domain Emb_1_Intbyte$$$_S_$$$ { + + +} + +domain Emb_2_Intuint8$$$_S_$$$ { + + +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function scap(s: Slice[T]): Int + + function soffset(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + function slen(s: Slice[T]): Int + + axiom deconstructor_over_constructor_array { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a) + } + + axiom { + (forall s: Slice[T] :: + { (soffset(s): Int), (scap(s): Int) } + { (ShArraylen((sarray(s): ShArray[T])): Int) } + (soffset(s): Int) + (scap(s): Int) <= + (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom deconstructor_over_constructor_len { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (slen((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (slen((smake(a, o, l, c): Slice[T])): Int) == l) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: + { (slen(s): Int) } + { (scap(s): Int) } + (slen(s): Int) <= (scap(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom deconstructor_over_constructor_offset { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (soffset((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (soffset((smake(a, o, l, c): Slice[T])): Int) == o) + } + + axiom deconstructor_over_constructor_cap { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (scap((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (scap((smake(a, o, l, c): Slice[T])): Int) == c) + } + + axiom { + (forall s: Slice[T] :: + { (sarray(s): ShArray[T]) } + { (soffset(s): Int) } + { (slen(s): Int) } + { (scap(s): Int) } + s == + (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain ShStruct6[T0, T1, T2, T3, T4, T5] { + + function ShStructget1of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T1 + + function ShStructget0of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T0 + + function ShStructrev3of6(v3: T3): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev4of6(v4: T4): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget5of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T5 + + function ShStructget3of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T3 + + function ShStructget2of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T2 + + function ShStructrev0of6(v0: T0): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev2of6(v2: T2): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev1of6(v1: T1): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev5of6(v5: T5): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget4of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T4 + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget3of6(x): T3) } + (ShStructrev3of6((ShStructget3of6(x): T3)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget1of6(x): T1) } + (ShStructrev1of6((ShStructget1of6(x): T1)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5], y: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of6(x): T0) == (ShStructget0of6(y): T0) && + (ShStructget1of6(x): T1) == (ShStructget1of6(y): T1) && + (ShStructget2of6(x): T2) == (ShStructget2of6(y): T2) && + (ShStructget3of6(x): T3) == (ShStructget3of6(y): T3) && + (ShStructget4of6(x): T4) == (ShStructget4of6(y): T4) && + (ShStructget5of6(x): T5) == (ShStructget5of6(y): T5))) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget0of6(x): T0) } + (ShStructrev0of6((ShStructget0of6(x): T0)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget2of6(x): T2) } + (ShStructrev2of6((ShStructget2of6(x): T2)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget5of6(x): T5) } + (ShStructrev5of6((ShStructget5of6(x): T5)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget4of6(x): T4) } + (ShStructrev4of6((ShStructget4of6(x): T4)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraysecond(r: T): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraylen(a: ShArray[T]): Int + + axiom { + (forall a: ShArray[T] :: + { (ShArraylen(a): Int) } + (ShArraylen(a): Int) >= 0) + } + + axiom { + (forall a: ShArray[T], i: Int :: + { (ShArrayloc(a, i): T) } + 0 <= i && i < (ShArraylen(a): Int) ==> + (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && + (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && + (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && + (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && + (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && + (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget4of5(x): T4) } + (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget1of5(x): T1) } + (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget3of5(x): T3) } + (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget2of5(x): T2) } + (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget0of5(x): T0) } + (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget1of4(x): T1) } + (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget3of4(x): T3) } + (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget0of4(x): T0) } + (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && + (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && + (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && + (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget2of4(x): T2) } + (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == + x) + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Emb_3_Intuint8$$$_S_$$$ { + + +} + +domain Tuple0 { + + +} + +domain Emb_6_Intbyte$$$_S_$$$ { + + +} + +domain Emb_4_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain ComparableInterfaceDomain { + + function comparableInterface(i: Tuple2[Ref, Types]): Bool + + axiom { + (forall i: Tuple2[Ref, Types] :: + { comparableInterface(i) } + comparableType_Types((get1of2(i): Types)) ==> comparableInterface(i)) + } +} + +domain Poly[T] { + + function box_Poly(x: T): Ref + + function unbox_Poly(y: Ref): T + + axiom { + (forall x: T :: + { (box_Poly(x): Ref) } + (unbox_Poly((box_Poly(x): Ref)): T) == x) + } +} + +domain String { + + unique function stringLit61646472(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e(): Int + + unique function stringLit5468757273646179(): Int + + unique function stringLit5765646e6573646179(): Int + + unique function stringLit556e6b6e6f776e4e65787448647254797065(): Int + + unique function stringLit496e76616c6964536f7572636541646472657373(): Int + + unique function stringLit45787465726e616c496e74657266616365446f776e(): Int + + unique function stringLit736f757263652061646472657373206d697373696e67(): Int + + unique function stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e(): Int + + unique function stringLit556e6b6e6f776e486f704279486f704f7074696f6e(): Int + + unique function stringLit6970(): Int + + unique function stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468(): Int + + unique function stringLit44657374696e6174696f6e556e726561636861626c65(): Int + + unique function stringLit62756666657220746f6f2073686f7274(): Int + + unique function stringLit5472616365726f7574655265706c79(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e20(): Int + + unique function stringLit496e76616c6964457874656e73696f6e486561646572(): Int + + unique function stringLit5343494f4e20686561646572206d697373696e67(): Int + + unique function stringLit616464724864724c656e(): Int + + unique function stringLit6d696e696e756d5f6c65677468(): Int + + unique function stringLit4e6f6e65(): Int + + unique function stringLit4f63746f626572(): Int + + unique function stringLit5061746845787069726564(): Int + + unique function stringLit4563686f5265706c79(): Int + + unique function stringLit6864724279746573(): Int + + unique function stringLit496e76616c6964486f704669656c644d4143(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit496e76616c69645365676d656e744368616e6765(): Int + + unique function stringLit62696e6172792e4c6974746c65456e6469616e(): Int + + unique function stringLit5061636b6574546f6f426967(): Int + + unique function stringLit424644(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365(): Int + + unique function stringLit496e76616c69645061636b657453697a65(): Int + + unique function stringLit5472616365726f75746552657175657374(): Int + + unique function stringLit556e6b6e6f776e5061746854797065(): Int + + unique function stringLit257328257329(): Int + + unique function stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e(): Int + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit456e6432456e64(): Int + + unique function stringLit4c6974746c65456e6469616e(): Int + + unique function stringLit4d6179(): Int + + unique function stringLit486f704279486f70(): Int + + unique function stringLit6d6178(): Int + + unique function stringLit4a616e75617279(): Int + + unique function stringLit686561646572206c656e6774682065786365656473206d6178696d756d(): Int + + unique function stringLit417072696c(): Int + + unique function stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564(): Int + + unique function stringLit256428256429(): Int + + unique function stringLit4a756e65(): Int + + unique function stringLit467269646179(): Int + + unique function stringLit506172616d6574657250726f626c656d(): Int + + unique function stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572(): Int + + unique function stringLit53657074656d626572(): Int + + unique function stringLit64657374696e6174696f6e2061646472657373206d697373696e67(): Int + + unique function stringLit496e7465726e616c436f6e6e6563746976697479446f776e(): Int + + unique function stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit426967456e6469616e(): Int + + unique function stringLit417567757374(): Int + + unique function stringLit4665627275617279(): Int + + unique function stringLit446563656d626572(): Int + + unique function stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034(): Int + + unique function stringLit556e6b6e6f776e41646472657373466f726d6174(): Int + + unique function stringLit496e76616c6964436f6d6d6f6e486561646572(): Int + + unique function stringLit6c656e(): Int + + unique function stringLit53756e646179(): Int + + unique function stringLit556e6b6e6f776e5343494f4e56657273696f6e(): Int + + unique function stringLit6d696e696d756d(): Int + + unique function stringLit554e4b4e4f574e2028256429(): Int + + unique function stringLit4e6f6e4c6f63616c44656c6976657279(): Int + + unique function stringLit436d644864724c656e(): Int + + unique function stringLit5361747572646179(): Int + + unique function stringLit6578706563746564(): Int + + unique function stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468(): Int + + unique function stringLit257328436f64653a20256429(): Int + + unique function stringLit6d696e(): Int + + unique function stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(): Int + + unique function stringLit4572726f6e656f75734865616465724669656c64(): Int + + unique function stringLit466c6f7749445265717569726564(): Int + + unique function stringLit4d6f6e646179(): Int + + unique function stringLit4a756c79(): Int + + unique function stringLit756470(): Int + + unique function stringLit4563686f52657175657374(): Int + + unique function stringLit(): Int + + unique function stringLit756e737570706f727465642061646472657373(): Int + + unique function stringLit496e76616c696450617468(): Int + + unique function stringLit54756573646179(): Int + + unique function stringLit544350(): Int + + unique function stringLit4e6f76656d626572(): Int + + unique function stringLit556e6b6e6f776e456e64546f456e644f7074696f6e(): Int + + unique function stringLit74797065(): Int + + unique function stringLit496e76616c696441646472657373486561646572(): Int + + unique function stringLit2573282564295c6e5061796c6f61643a202573(): Int + + unique function stringLit53434d50(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365(): Int + + unique function stringLit4d61726368(): Int + + unique function stringLit4f7074696f6e206e6f7420666f756e64(): Int + + unique function stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573(): Int + + unique function stringLit61637475616c(): Int + + unique function stringLit62696e6172792e426967456e6469616e(): Int + + unique function stringLit554450(): Int + + unique function stringLit496e76616c696444657374696e6174696f6e41646472657373(): Int + + axiom { + strLen(stringLit5061746845787069726564()) == 11 + } + + axiom { + strLen(stringLit6578706563746564()) == 8 + } + + axiom { + strLen(stringLit756470()) == 3 + } + + axiom { + strLen(stringLit74797065()) == 4 + } + + axiom { + strLen(stringLit436d644864724c656e()) == 9 + } + + axiom { + strLen(stringLit62696e6172792e426967456e6469616e()) == 16 + } + + axiom { + strLen(stringLit496e76616c696441646472657373486561646572()) == 20 + } + + axiom { + strLen(stringLit257328436f64653a20256429()) == 12 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit686561646572206c656e6774682065786365656473206d6178696d756d()) == + 29 + } + + axiom { + strLen(stringLit496e76616c6964457874656e73696f6e486561646572()) == 22 + } + + axiom { + strLen(stringLit4563686f52657175657374()) == 11 + } + + axiom { + strLen(stringLit61637475616c()) == 6 + } + + axiom { + strLen(stringLit62696e6172792e4c6974746c65456e6469616e()) == 19 + } + + axiom { + strLen(stringLit467269646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032()) == + 47 + } + + axiom { + strLen(stringLit4d61726368()) == 5 + } + + axiom { + strLen(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c()) == + 28 + } + + axiom { + strLen(stringLit554450()) == 3 + } + + axiom { + strLen(stringLit426967456e6469616e()) == 9 + } + + axiom { + strLen(stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e()) == + 32 + } + + axiom { + strLen(stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572()) == + 47 + } + + axiom { + strLen(stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573()) == + 38 + } + + axiom { + strLen(stringLit4a616e75617279()) == 7 + } + + axiom { + strLen(stringLit4d6179()) == 3 + } + + axiom { + strLen(stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564()) == + 39 + } + + axiom { + strLen(stringLit756e737570706f727465642061646472657373()) == 19 + } + + axiom { + strLen(stringLit4f63746f626572()) == 7 + } + + axiom { + strLen(stringLit44657374696e6174696f6e556e726561636861626c65()) == 22 + } + + axiom { + strLen(stringLit496e7465726e616c436f6e6e6563746976697479446f776e()) == + 24 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365()) == + 30 + } + + axiom { + strLen(stringLit466c6f7749445265717569726564()) == 14 + } + + axiom { + strLen(stringLit4a756c79()) == 4 + } + + axiom { + strLen(stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034()) == + 51 + } + + axiom { + strLen(stringLit424644()) == 3 + } + + axiom { + strLen(stringLit486f704279486f70()) == 8 + } + + axiom { + strLen(stringLit53434d50()) == 4 + } + + axiom { + strLen(stringLit556e6b6e6f776e5061746854797065()) == 15 + } + + axiom { + strLen(stringLit456e6432456e64()) == 7 + } + + axiom { + strLen(stringLit5361747572646179()) == 8 + } + + axiom { + strLen(stringLit496e76616c6964436f6d6d6f6e486561646572()) == 19 + } + + axiom { + strLen(stringLit556e6b6e6f776e5343494f4e56657273696f6e()) == 19 + } + + axiom { + strLen(stringLit446563656d626572()) == 8 + } + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + strLen(stringLit5468757273646179()) == 8 + } + + axiom { + strLen(stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit62756666657220746f6f2073686f7274()) == 16 + } + + axiom { + strLen(stringLit554e4b4e4f574e2028256429()) == 12 + } + + axiom { + strLen(stringLit6970()) == 2 + } + + axiom { + strLen(stringLit5472616365726f7574655265706c79()) == 15 + } + + axiom { + strLen(stringLit64657374696e6174696f6e2061646472657373206d697373696e67()) == + 27 + } + + axiom { + strLen(stringLit256428256429()) == 6 + } + + axiom { + strLen(stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468()) == + 47 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e()) == + 52 + } + + axiom { + strLen(stringLit53657074656d626572()) == 9 + } + + axiom { + strLen(stringLit4563686f5265706c79()) == 9 + } + + axiom { + strLen(stringLit5061636b6574546f6f426967()) == 12 + } + + axiom { + strLen(stringLit496e76616c696450617468()) == 11 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365()) == + 31 + } + + axiom { + strLen(stringLit2573282564295c6e5061796c6f61643a202573()) == 19 + } + + axiom { + strLen(stringLit257328257329()) == 6 + } + + axiom { + strLen(stringLit417072696c()) == 5 + } + + axiom { + strLen(stringLit4665627275617279()) == 8 + } + + axiom { + strLen(stringLit53756e646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e20()) == + 26 + } + + axiom { + strLen(stringLit4f7074696f6e206e6f7420666f756e64()) == 16 + } + + axiom { + strLen(stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468()) == + 55 + } + + axiom { + strLen(stringLit45787465726e616c496e74657266616365446f776e()) == 21 + } + + axiom { + strLen(stringLit4e6f76656d626572()) == 8 + } + + axiom { + strLen(stringLit556e6b6e6f776e41646472657373466f726d6174()) == 20 + } + + axiom { + strLen(stringLit54756573646179()) == 7 + } + + axiom { + strLen(stringLit4d6f6e646179()) == 6 + } + + axiom { + strLen(stringLit556e6b6e6f776e456e64546f456e644f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit496e76616c696444657374696e6174696f6e41646472657373()) == + 25 + } + + axiom { + strLen(stringLit6d696e()) == 3 + } + + axiom { + strLen(stringLit6d6178()) == 3 + } + + axiom { + strLen(stringLit616464724864724c656e()) == 10 + } + + axiom { + strLen(stringLit4e6f6e4c6f63616c44656c6976657279()) == 16 + } + + axiom { + strLen(stringLit5472616365726f75746552657175657374()) == 17 + } + + axiom { + strLen(stringLit496e76616c6964536f7572636541646472657373()) == 20 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704279486f704f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit4572726f6e656f75734865616465724669656c64()) == 20 + } + + axiom { + strLen(stringLit4a756e65()) == 4 + } + + axiom { + strLen(stringLit417567757374()) == 6 + } + + axiom { + strLen(stringLit61646472()) == 4 + } + + axiom { + strLen(stringLit4c6974746c65456e6469616e()) == 12 + } + + axiom { + strLen(stringLit4e6f6e65()) == 4 + } + + axiom { + strLen(stringLit6d696e696d756d()) == 7 + } + + axiom { + strLen(stringLit496e76616c69645061636b657453697a65()) == 17 + } + + axiom { + strLen(stringLit736f757263652061646472657373206d697373696e67()) == 22 + } + + axiom { + strLen(stringLit6c656e()) == 3 + } + + axiom { + strLen(stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e()) == + 43 + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit5343494f4e20686561646572206d697373696e67()) == 20 + } + + axiom { + strLen(stringLit496e76616c6964486f704669656c644d4143()) == 18 + } + + axiom { + strLen(stringLit556e6b6e6f776e4e65787448647254797065()) == 18 + } + + axiom { + strLen(stringLit5765646e6573646179()) == 9 + } + + axiom { + strLen(stringLit544350()) == 3 + } + + axiom { + strLen(stringLit6d696e696e756d5f6c65677468()) == 13 + } + + axiom { + strLen(stringLit496e76616c69645365676d656e744368616e6765()) == 20 + } + + axiom { + strLen(stringLit506172616d6574657250726f626c656d()) == 16 + } + + axiom { + strLen(stringLit6864724279746573()) == 8 + } +} + +domain PolyAdditionalAxioms { + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Slice[Ref]) } + (box_Poly((unbox_Poly(y): Slice[Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[Ref, Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Int) } + (box_Poly((unbox_Poly(y): Int)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct0) } + (box_Poly((unbox_Poly(y): ShStruct0)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): Ref) == + y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == Path_4cddb96f_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == nilDecodeFeedback_b41831d7_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref) == + y) + } +} + +field Intuint16$$$$_E_$$$: Int + +field Bool$$$$_E_$$$: Bool + +field SliceIntbyte$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint32$$$$_E_$$$: Int + +field SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + +field SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint64$$$$_E_$$$: Int + +field DefinedPath_a6ceb89d_T$$$$_E_$$$: Tuple2[Ref, Types] + +field DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$: Int + +field Intuint8$$$$_E_$$$: Int + +field DefinedType_a6ceb89d_T$$$$_E_$$$: Int + +field PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + +field SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + +field PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field Interfaceempty_interface$$$$_E_$$$: Tuple2[Ref, Types] + +field SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct4[Ref, Ref, Ref, Ref]] + +field PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field DefinedAddrType_840d9458_T$$$$_E_$$$: Int + +field DefinedIA_cd675838_T$$$$_E_$$$: Int + +field Intbyte$$$$_E_$$$: Int + +field Intint$$$$_E_$$$: Int + +field DefinedL4ProtocolType_840d9458_T$$$$_E_$$$: Int + +// decreases _ +function sliceDefault_Intbyte$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_1_Intbyte$$$_S_$$$())) + + +// decreases _ +function shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$(): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$] + ensures (ShStructget0of3(result): Ref) == null && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Emb_3_Intuint8$$$_S_$$$) == + box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(arrayNil_3_Intuint8$$$_S_$$$()) + + +// decreases +function addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Int + requires acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + ensures 0 <= result +{ + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) +} + +// decreases +function assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(b: Bool, + y: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMBase(s_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(s_V0), wildcard) + ensures result >= 4 + ensures result == + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +{ + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +} + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_4_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 4 || + result == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases _ +function shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[Ref, Ref] + ensures (ShStructget0of2(result): Ref) == null && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_4_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 4 || + x == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases +function PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMRaw(s_V0, buf_V0) +} + +// decreases _ +function box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || + x == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases _ +function Len_a6ceb89d_PMrawPath(p_V0: ShStruct2[Ref, Ref], underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) in + (slen((ShStructget0of2(p_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) +} + +// decreases +function assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(b: Bool, y: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref] + requires b +{ + y +} + +// decreases +function Length_840d9458_MAddrType(tl_V0: Int): Int + ensures result == 4 * (1 + BitAnd3_ca158f5e_F(tl_V0)) + ensures tl_V0 == 0 ==> result == 4 + ensures tl_V0 == 4 ==> result == 4 + ensures tl_V0 == 3 ==> result == 4 * 4 +{ + 4 * (1 + intBitwiseAnd(tl_V0, 3)) +} + +// decreases _ +function Len_c385169_PMPath(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + ensures result == 32 +{ + 32 +} + +// decreases +function getPathPure_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + pathType_V0: Int): Tuple2[Ref, Types] + requires 0 <= pathType_V0 && pathType_V0 < 256 + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, wildcard) + requires !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) + requires acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) +{ + (pathType_V0 < + (slen((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ? + (unfolding acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) in + (ShArrayloc((sarray((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + pathType_V0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) : + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) +} + +// decreases _ +function arrayNil_1_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function arrayNil_3_Intuint8$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function assertArg2_Tuple0(b: Bool, y: Tuple0): Tuple0 + requires b +{ + y +} + +// decreases +function PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c6e60a1d_PMPath(p_V0, ubuf_V0) +} + +// decreases _ +function shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + ensures (ShStructget0of2(result): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) == + shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$() && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_3_Intuint8$$$_S_$$$ + requires (ShArraylen(x): Int) == 3 || x == arrayNil_3_Intuint8$$$_S_$$$() + ensures unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases _ +function intBitwiseAnd(left: Int, right: Int): Int + + +// decreases +function BitAnd3_ca158f5e_F(b_V0: Int): Int + ensures 0 <= intBitwiseAnd(b_V0, 3) && intBitwiseAnd(b_V0, 3) <= 3 + ensures b_V0 == 0 ==> result == 0 + ensures b_V0 == 3 ==> result == 3 + ensures b_V0 == 4 ==> result == 0 + ensures result == intBitwiseAnd(b_V0, 3) + + +// decreases _ +function shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$(): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref] + ensures (ShStructget0of3(result): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$]) == + shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Ref) == null + + +// decreases +function assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(b: Bool, + y: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + requires b +{ + y +} + +// decreases _ +function shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$(): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures (ShStructget0of17(result): ShStruct2[Ref, Ref]) == + shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of17(result): Ref) == null && + (ShStructget2of17(result): Ref) == null && + (ShStructget3of17(result): Ref) == null && + (ShStructget4of17(result): Ref) == null && + (ShStructget5of17(result): Ref) == null && + (ShStructget6of17(result): Ref) == null && + (ShStructget7of17(result): Ref) == null && + (ShStructget8of17(result): Ref) == null && + (ShStructget9of17(result): Ref) == null && + (ShStructget10of17(result): Ref) == null && + (ShStructget11of17(result): Ref) == null && + (ShStructget12of17(result): Ref) == null && + (ShStructget13of17(result): Ref) == null && + (ShStructget14of17(result): Ref) == null && + (ShStructget15of17(result): Ref) == null && + (ShStructget16of17(result): Ref) == null + + +function ssliceFromArray_Ref(a: ShArray[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (ShArraylen(a): Int) + ensures (soffset(result): Int) == i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (ShArraylen(a): Int) - i + ensures (sarray(result): ShArray[Ref]) == a + + +// decreases _ +function Len_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures !hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> result == 16 + ensures hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> + result == + 16 + + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMRaw((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, + ssliceFromSlice_Ref(ubuf_V0, 16, (slen(ubuf_V0): Int)))) + + +// decreases +function Has3Bits_840d9458_MAddrType(a_V0: Int): Bool +{ + 0 <= a_V0 && a_V0 <= 7 +} + +// decreases _ +function Uint64_72f0d887_MbigEndian(e_V0: Int, b_V0: Slice[Ref]): Int + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, wildcard) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, wildcard) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 2)): Ref).Intbyte$$$$_E_$$$, wildcard) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 3)): Ref).Intbyte$$$$_E_$$$, wildcard) + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 4)): Ref).Intbyte$$$$_E_$$$, wildcard) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 5)): Ref).Intbyte$$$$_E_$$$, wildcard) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 6)): Ref).Intbyte$$$$_E_$$$, wildcard) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 7)): Ref).Intbyte$$$$_E_$$$, wildcard) + ensures result >= 0 + + +// decreases _ +function ssliceFromSlice_Ref(s: Slice[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (scap(s): Int) + ensures (soffset(result): Int) == (soffset(s): Int) + i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (scap(s): Int) - i + ensures (sarray(result): ShArray[Ref]) == (sarray(s): ShArray[Ref]) + + +// decreases _ +function Len_daeaf66a_PMRaw(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases +function AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + (unfolding acc(HeaderMem_840d9458_PMSCION(s_V0, ssliceFromSlice_Ref(ubuf_V0, + 12, (slen(ubuf_V0): Int))), wildcard) in + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$))) +} + +// decreases _ +function typeOfInterface_Y$558431e4_a6ceb89d_(itf: Tuple2[Ref, Types]): Types + ensures result == (get1of2(itf): Types) + ensures behavioral_subtype_Types(result, Y$558431e4_a6ceb89d__Types()) + + +// decreases _ +function sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$())) + + +// decreases _ +function unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(y: Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases +function assertArg2_ShStruct2_RefRef(b: Bool, y: ShStruct2[Ref, Ref]): ShStruct2[Ref, Ref] + requires b +{ + y +} + +// decreases +function IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf), wildcard) + + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(y: Emb_4_Interfaceempty_interface$$$$_E_$$$): Seq[Tuple2[Ref, Types]] + ensures |result| == 4 + ensures box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + y + + +// decreases _ +function arrayNil_4_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), pointer_Types(Path_c385169_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c385169_PMPath(o_V0, ubuf_V0) +} + +// decreases +function getNumHops_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases +function getNumINF_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result && result <= 3 +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases _ +function Len_4cddb96f_MPath(o_V0: Tuple0, underlyingBuf_V0: Slice[Ref]): Int + ensures 0 <= result +{ + 0 +} + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(x: Seq[Tuple2[Ref, Types]]): Emb_4_Interfaceempty_interface$$$$_E_$$$ + requires |x| == 4 + ensures unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + x + + +// decreases _ +function Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf: Tuple2[Ref, Types], + underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 + + +// decreases _ +function arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function hasScionPath_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + buf_V0: Slice[Ref]): Bool + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result == + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +} + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +// decreases +function pathPoolInitialized_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Bool + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) +{ + !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) +} + +// decreases +function PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct2[Ref, Ref], + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_a6ceb89d_PMrawPath(p_V0, underlyingBuf_V0) +} + +// decreases +function Len_a6ceb89d_SY$558431e4_a6ceb89d_(thisItf: Tuple2[Ref, Types], underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 +{ + (true ? + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ? + Len_a6ceb89d_PMrawPath(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(rawPath_a6ceb89d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Raw_daeaf66a_T_Types()) ? + Len_daeaf66a_PMRaw(assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Raw_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c6e60a1d_T_Types()) ? + Len_c6e60a1d_PMPath(assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c6e60a1d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c385169_T_Types()) ? + Len_c385169_PMPath(assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c385169_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + Len_daeaf66a_PMDecoded(assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Decoded_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + Path_4cddb96f_T_Types() ? + Len_4cddb96f_MPath(assertArg2_Tuple0(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + Path_4cddb96f_T_Types()), (unbox_Poly((get0of2(thisItf): Ref)): Tuple0)), + underlyingBuf_V0) : + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, + underlyingBuf_V0)))))))) +} + +// decreases _ +function unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_1_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_Intbyte$$$_S_$$$() + ensures box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +// decreases _ +function box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || x == arrayNil_1_Intbyte$$$_S_$$$() + ensures unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases +function PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMDecoded(d_V0, ubuf_V0) +} + +// decreases +function AddrHdrLen_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref], insideSlayers_V0: Bool): Int + requires insideSlayers_V0 ==> + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires insideSlayers_V0 ==> + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires !insideSlayers_V0 ==> + acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures insideSlayers_V0 ==> + result == addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) + ensures !insideSlayers_V0 ==> + result == AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0, ubuf_V0) + ensures 0 <= result + + +// decreases +function assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(b: Bool, + y: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMDecoded(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases +function DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: Tuple0, + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), Path_4cddb96f_T_Types()): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_4cddb96f_MPath(o_V0, underlyingBuf_V0) +} + +// decreases _ +function unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(y: Emb_3_Intuint8$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 3 || + result == arrayNil_3_Intuint8$$$_S_$$$() + ensures box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == y + + +predicate dynamic_pred_0(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == pointer_Types(EndToEndExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMEndToEndOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(EndToEndExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMHopByHopOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == pointer_Types(SCION_840d9458_T_Types()) ? + acc((ShStructget1of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget2of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget4of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget6of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write) && + acc((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ && + 0 <= + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) && + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 <= + (slen(x0): Int) && + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 && + acc((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(dynamic_pred_6((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)), write) && + (let fn$$0 == + ((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + (ShStructget0of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4) && + (ShStructget1of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4, (slen(x0): Int)) && + 12 <= (slen(x0): Int) && + acc(HeaderMem_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + ssliceFromSlice_Ref(x0, 12, (slen(x0): Int))), write) && + 0 <= + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ && + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ < + 256 && + acc((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + (!pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + acc(PathPoolMem_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + (pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + !((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + !((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$), write) && + (ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + getPathPure_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$)) && + (typeOfInterface_Y$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) ==> + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)) <= + (slen(x0): Int)) : + ((get1of2(i): Types) == pointer_Types(SCMP_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$()) ==> + acc(ChecksumMem_840d9458_PMSCION((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$), write)) : + ((get1of2(i): Types) == + pointer_Types(SCMPDestinationUnreachable_840d9458_T_Types()) ? + acc(Mem_840d9458_PMBaseLayer((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct2[Ref, Ref]])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPEcho_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 16), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 24), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPPacketTooBig_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPParameterProblem_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPTraceroute_840d9458_T_Types()) ? + acc((ShStructget1of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget4of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 20), write) : + ((get1of2(i): Types) == + Payload_b41831d7_T_Types() ? + x0 == + (unbox_Poly((get0of2(i): Ref)): Slice[Ref]) : + acc(dynamic_pred_0_unknown(i, x0), write))))))))))))))) +} + +predicate Mem_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) { + acc((ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget0of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget1of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 0): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 1): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 2): Ref).Intuint8$$$$_E_$$$, write) && + 0 <= (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ && + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ <= 3 && + 0 <= (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$ && + (0 < (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ ==> + 0 < (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +predicate HeaderMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) { + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) <= (slen(ubuf_V0): Int) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) == + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) <= + (slen(ubuf_V0): Int) && + 0 < + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < 2 * 8 && + 2 * 8 < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) <= + (slen(ubuf_V0): Int) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) && + (ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$), + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) +} + +predicate AbsSlice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int) { + 0 <= start_V0 && start_V0 <= end_V0 && end_V0 <= (scap(s_V0): Int) && + (forall i_V1: Int :: + { (ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), i_V1)): Ref) } + start_V0 <= i_V1 && i_V1 < end_V0 ==> + acc((ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, write)) +} + +predicate PathPoolMemExceptOne_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types], + pathType_V0: Int) { + !(pathPool_V0 == sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + (slen(pathPool_V0): Int) == 4 && + (acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + Path_4cddb96f_T_Types()) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) && + (!(pathType_V0 == 2) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Raw_daeaf66a_T_Types()) && + (!(pathType_V0 == 1) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c6e60a1d_T_Types()) && + (!(pathType_V0 == 3) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + !(pathPoolRaw_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + (pathType_V0 < (slen(pathPool_V0): Int) ==> + acc(dynamic_pred_2(pathPoolRaw_V0), write)) +} + +predicate dynamic_pred_6(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == Path_4cddb96f_T_Types() ? + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(Path_4cddb96f_T_Types()) ? + (let fn$$0 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct0)) in + true) && + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(rawPath_a6ceb89d_T_Types()) ? + (let fn$$1 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$1): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$1): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write)) && + (ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + x0 : + ((get1of2(i): Types) == pointer_Types(Path_c385169_T_Types()) ? + (let fn$$2 == + ((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct4[Ref, Ref, Ref, Ref])) in + acc((ShStructget0of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget1of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$2): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$2): Ref).Intuint32$$$$_E_$$$, write)) && + acc(Mem_a6ceb89d_PMHopField((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + acc(Mem_a6ceb89d_PMHopField((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + 32 <= (slen(x0): Int) : + ((get1of2(i): Types) == pointer_Types(Path_c6e60a1d_T_Types()) ? + (let fn$$3 == + ((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write)) && + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, write) && + !((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$()) && + 16 <= (slen(x0): Int) && + acc(dynamic_pred_6((tuple2((box_Poly((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$): Ref), + pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), ssliceFromSlice_Ref(x0, + 16, (slen(x0): Int))), write) : + ((get1of2(i): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) <= + 3 && + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget0of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget1of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget2of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget3of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write))) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumHops_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + (forall i_V2: Int :: + { (ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) } + 0 <= i_V2 && + i_V2 < + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_a6ceb89d_PMHopField((ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write)) : + ((get1of2(i): Types) == pointer_Types(Raw_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) <= + (slen(x0): Int) && + (ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + Len_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) : + acc(dynamic_pred_6_unknown(i, x0), write)))))))) +} + +predicate dynamic_pred_0_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate ChecksumMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) + +predicate Mem_840d9458_PMHopByHopOption(o_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2325_V0: Int) + +predicate Mem_840d9458_PMextnBase(e_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) + +predicate Mem_a6ceb89d_PMHopField(h_V0: ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) + +predicate Mem_840d9458_PMEndToEndOption(e_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2372_V0: Int) + +predicate PathPoolMem_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types]) + +predicate ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +predicate Mem_840d9458_PMBaseLayer(b_V0: ShStruct2[Ref, Ref], ub_V0: Slice[Ref], + breakPoint_V0: Int) + +predicate dynamic_pred_6_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate dynamic_pred_2(i: Tuple2[Ref, Types]) + +// decreases +method DecodeAddrHdr_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + data_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) + requires acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) + requires acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), 1 / + 4096) + ensures acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), 1 / + 4096) + ensures res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + acc(HeaderMem_840d9458_PMSCION(s_V0, data_V0), write) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) +{ + inhale res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl s_V0_CN0: *SCION_840d9458_T@°°, data_V0_CN1: []byte@°°, res_V0_CN2: error_a4af0e5e_T°° + var res_V0_CN2: Tuple2[Ref, Types] + var data_V0_CN1: Slice[Ref] + var s_V0_CN0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + + + + // init s_V0_CN0 + inhale s_V0_CN0 == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$() + + // init data_V0_CN1 + inhale data_V0_CN1 == sliceDefault_Intbyte$$$_S_$$$() + + // init res_V0_CN2 + inhale res_V0_CN2 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // s_V0_CN0 = s_V0 + s_V0_CN0 := s_V0 + + // data_V0_CN1 = data_V0 + data_V0_CN1 := data_V0 + + // decl l_V1: int°°, offset_V1: int°°, dstAddrBytes_V1: int°°, srcAddrBytes_V1: int°° + var srcAddrBytes_V1: Int + var dstAddrBytes_V1: Int + var offset_V1: Int + var l_V1: Int + + // init l_V1 + inhale l_V1 == 0 + + // l_V1 = s_V0_CN0.AddrHdrLen((nil:[]byte@°), true) + l_V1 := AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), + true) + + // if(len(data_V0_CN1) < s_V0_CN0.AddrHdrLen((nil:[]byte@°), true)) {...} else {...} + if ((slen(data_V0_CN1): Int) < + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true)) { + + // decl N8: []interface{ name is empty_interface }@°°, N9: error_a4af0e5e_T°° + var N9: Tuple2[Ref, Types] + var N8: Slice[Ref] + + // N8 = new([]interface{ name is empty_interface }@ { 0:toInterface("expected"), 1:toInterface(s_V0_CN0.AddrHdrLen((nil:[]byte@°), true)), 2:toInterface("actual"), 3:toInterface(len(data_V0_CN1)) }) + var fn$$0: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$2: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$3: Emb_4_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$1: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + fn$$1): Ref) } + 0 <= fn$$1 && fn$$1 < 4 ==> + acc((ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + fn$$1): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$0 == + box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_4_Interfaceempty_interface$$$_S_$$$())) + fn$$2 := fn$$0 + fn$$3 := box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit6578706563746564()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(AddrHdrLen_840d9458_PMSCION(s_V0_CN0, + sliceDefault_Intbyte$$$_S_$$$(), true)): Ref), int_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly(stringLit61637475616c()): Ref), string_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly((slen(data_V0_CN1): Int)): Ref), integer_Types()): Tuple2[Ref, Types]))) + inhale (forall fn$$4: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$2), + fn$$4): Ref) } + { unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$3)[fn$$4] } + 0 <= fn$$4 && fn$$4 < 4 ==> + (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$2), + fn$$4): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$3)[fn$$4]) + N8 := ssliceFromArray_Ref(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + 0, 4) + + // N9 = New_bfd5223e_F("provided buffer is too small", N8) + N9 := New_bfd5223e_F(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(), + N8) + + // res_V0_CN2 = N9 + res_V0_CN2 := N9 + + // return + goto returnLabel + } + + // init offset_V1 + inhale offset_V1 == 0 + + // offset_V1 = 0 + offset_V1 := 0 + + // unfold acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1, 0, len(data_V0_CN1)), perm(1/4096)) + unfold acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1, 0, (slen(data_V0_CN1): Int)), 1 / + 4096) + + // assert forall i_V2: int° :: { &data_V0_CN1[offset_V1:len(data_V0_CN1)][i_V2], &data_V0_CN1[i_V2] } 0 <= i_V2 && i_V2 < l_V1 ==> &data_V0_CN1[offset_V1:len(data_V0_CN1)][i_V2] == &data_V0_CN1[i_V2] + assert (forall i_V2: Int :: + { (ShArrayloc((sarray(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): ShArray[Ref]), + sadd((soffset(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): Int), + i_V2)): Ref) } + { (ShArrayloc((sarray(data_V0_CN1): ShArray[Ref]), sadd((soffset(data_V0_CN1): Int), + i_V2)): Ref) } + 0 <= i_V2 && i_V2 < l_V1 ==> + (ShArrayloc((sarray(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): ShArray[Ref]), + sadd((soffset(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): Int), + i_V2)): Ref) == + (ShArrayloc((sarray(data_V0_CN1): ShArray[Ref]), sadd((soffset(data_V0_CN1): Int), + i_V2)): Ref)) + + // *s_V0_CN0.DstIAA = IA_cd675838_T°(0.Uint64(data_V0_CN1[offset_V1:len(data_V0_CN1)])) + (ShStructget10of17(s_V0_CN0): Ref).DefinedIA_cd675838_T$$$$_E_$$$ := Uint64_72f0d887_MbigEndian(0, + ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))) + + // offset_V1 = offset_V1 + 8 + offset_V1 := offset_V1 + 8 + + // assert forall i_V3: int° :: { &data_V0_CN1[offset_V1:len(data_V0_CN1)][i_V3] } 0 <= i_V3 && i_V3 < l_V1 ==> &data_V0_CN1[offset_V1:len(data_V0_CN1)][i_V3] == &data_V0_CN1[offset_V1 + i_V3] + assert (forall i_V3: Int :: + { (ShArrayloc((sarray(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): ShArray[Ref]), + sadd((soffset(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): Int), + i_V3)): Ref) } + 0 <= i_V3 && i_V3 < l_V1 ==> + (ShArrayloc((sarray(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): ShArray[Ref]), + sadd((soffset(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))): Int), + i_V3)): Ref) == + (ShArrayloc((sarray(data_V0_CN1): ShArray[Ref]), sadd((soffset(data_V0_CN1): Int), + offset_V1 + i_V3)): Ref)) + + // *s_V0_CN0.SrcIAA = IA_cd675838_T°(0.Uint64(data_V0_CN1[offset_V1:len(data_V0_CN1)])) + (ShStructget11of17(s_V0_CN0): Ref).DefinedIA_cd675838_T$$$$_E_$$$ := Uint64_72f0d887_MbigEndian(0, + ssliceFromSlice_Ref(data_V0_CN1, offset_V1, (slen(data_V0_CN1): Int))) + + // fold acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1, 0, len(data_V0_CN1)), perm(1/4096)) + fold acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1, 0, (slen(data_V0_CN1): Int)), 1 / + 4096) + + // offset_V1 = offset_V1 + 8 + offset_V1 := offset_V1 + 8 + + // init dstAddrBytes_V1 + inhale dstAddrBytes_V1 == 0 + + // dstAddrBytes_V1 = *s_V0_CN0.DstAddrTypeA.Length() + dstAddrBytes_V1 := Length_840d9458_MAddrType((ShStructget8of17(s_V0_CN0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + // init srcAddrBytes_V1 + inhale srcAddrBytes_V1 == 0 + + // srcAddrBytes_V1 = *s_V0_CN0.SrcAddrTypeA.Length() + srcAddrBytes_V1 := Length_840d9458_MAddrType((ShStructget9of17(s_V0_CN0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + // *s_V0_CN0.RawDstAddrA = data_V0_CN1[offset_V1:offset_V1 + dstAddrBytes_V1] + (ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ := ssliceFromSlice_Ref(data_V0_CN1, + offset_V1, offset_V1 + dstAddrBytes_V1) + + // offset_V1 = offset_V1 + dstAddrBytes_V1 + offset_V1 := offset_V1 + dstAddrBytes_V1 + + // *s_V0_CN0.RawSrcAddrA = data_V0_CN1[offset_V1:offset_V1 + srcAddrBytes_V1] + (ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ := ssliceFromSlice_Ref(data_V0_CN1, + offset_V1, offset_V1 + srcAddrBytes_V1) + + // fold acc(s_V0_CN0.HeaderMem(data_V0_CN1)) + fold acc(HeaderMem_840d9458_PMSCION(s_V0_CN0, data_V0_CN1), write) + + // res_V0_CN2 = (nil:error_a4af0e5e_T°) + res_V0_CN2 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN2 + res_V0 := res_V0_CN2 +} + +// decreases _ +method New_bfd5223e_F(msg_V0: Int, errCtx_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0) diff --git a/src/test/resources/biabduction/frontends/gobra/scion_DecodeFromBytes.vpr b/src/test/resources/biabduction/frontends/gobra/scion_DecodeFromBytes.vpr new file mode 100644 index 00000000..fd8d16c4 --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/scion_DecodeFromBytes.vpr @@ -0,0 +1,4461 @@ +domain ShStruct2[T0, T1] { + + function ShStructget1of2(x: ShStruct2[T0, T1]): T1 + + function ShStructget0of2(x: ShStruct2[T0, T1]): T0 + + function ShStructrev1of2(v1: T1): ShStruct2[T0, T1] + + function ShStructrev0of2(v0: T0): ShStruct2[T0, T1] + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget1of2(x): T1) } + (ShStructrev1of2((ShStructget1of2(x): T1)): ShStruct2[T0, T1]) == x) + } + + axiom { + (forall x: ShStruct2[T0, T1], y: ShStruct2[T0, T1] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of2(x): T0) == (ShStructget0of2(y): T0) && + (ShStructget1of2(x): T1) == (ShStructget1of2(y): T1))) + } + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget0of2(x): T0) } + (ShStructrev0of2((ShStructget0of2(x): T0)): ShStruct2[T0, T1]) == x) + } +} + +domain ShStruct0 { + + axiom { + (forall x: ShStruct0, y: ShStruct0 :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == true) + } +} + +domain Emb_4_Interfaceempty_interface$$$$_E_$$$ { + + +} + +domain ShStruct1[T0] { + + function ShStructget0of1(x: ShStruct1[T0]): T0 + + function ShStructrev0of1(v0: T0): ShStruct1[T0] + + axiom { + (forall x: ShStruct1[T0] :: + { (ShStructget0of1(x): T0) } + (ShStructrev0of1((ShStructget0of1(x): T0)): ShStruct1[T0]) == x) + } + + axiom { + (forall x: ShStruct1[T0], y: ShStruct1[T0] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of1(x): T0) == (ShStructget0of1(y): T0))) + } +} + +domain ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] { + + function ShStructget10of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T10 + + function ShStructget4of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T4 + + function ShStructrev4of17(v4: T4): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev10of17(v10: T10): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev13of17(v13: T13): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget5of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T5 + + function ShStructrev0of17(v0: T0): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev2of17(v2: T2): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev1of17(v1: T1): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget6of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T6 + + function ShStructrev15of17(v15: T15): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget7of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T7 + + function ShStructrev14of17(v14: T14): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev7of17(v7: T7): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget2of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T2 + + function ShStructget8of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T8 + + function ShStructget11of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T11 + + function ShStructrev12of17(v12: T12): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev11of17(v11: T11): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget3of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T3 + + function ShStructrev9of17(v9: T9): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev8of17(v8: T8): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev5of17(v5: T5): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev3of17(v3: T3): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget16of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T16 + + function ShStructget14of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T14 + + function ShStructget13of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T13 + + function ShStructrev16of17(v16: T16): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev6of17(v6: T6): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget9of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T9 + + function ShStructget12of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T12 + + function ShStructget0of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T0 + + function ShStructget1of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T1 + + function ShStructget15of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T15 + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget10of17(x): T10) } + (ShStructrev10of17((ShStructget10of17(x): T10)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget1of17(x): T1) } + (ShStructrev1of17((ShStructget1of17(x): T1)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget2of17(x): T2) } + (ShStructrev2of17((ShStructget2of17(x): T2)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget16of17(x): T16) } + (ShStructrev16of17((ShStructget16of17(x): T16)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget8of17(x): T8) } + (ShStructrev8of17((ShStructget8of17(x): T8)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget3of17(x): T3) } + (ShStructrev3of17((ShStructget3of17(x): T3)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget12of17(x): T12) } + (ShStructrev12of17((ShStructget12of17(x): T12)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget7of17(x): T7) } + (ShStructrev7of17((ShStructget7of17(x): T7)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget11of17(x): T11) } + (ShStructrev11of17((ShStructget11of17(x): T11)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16], + y: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of17(x): T0) == (ShStructget0of17(y): T0) && + (ShStructget1of17(x): T1) == (ShStructget1of17(y): T1) && + (ShStructget2of17(x): T2) == (ShStructget2of17(y): T2) && + (ShStructget3of17(x): T3) == (ShStructget3of17(y): T3) && + (ShStructget4of17(x): T4) == (ShStructget4of17(y): T4) && + (ShStructget5of17(x): T5) == (ShStructget5of17(y): T5) && + (ShStructget6of17(x): T6) == (ShStructget6of17(y): T6) && + (ShStructget7of17(x): T7) == (ShStructget7of17(y): T7) && + (ShStructget8of17(x): T8) == (ShStructget8of17(y): T8) && + (ShStructget9of17(x): T9) == (ShStructget9of17(y): T9) && + (ShStructget10of17(x): T10) == (ShStructget10of17(y): T10) && + (ShStructget11of17(x): T11) == (ShStructget11of17(y): T11) && + (ShStructget12of17(x): T12) == (ShStructget12of17(y): T12) && + (ShStructget13of17(x): T13) == (ShStructget13of17(y): T13) && + (ShStructget14of17(x): T14) == (ShStructget14of17(y): T14) && + (ShStructget15of17(x): T15) == (ShStructget15of17(y): T15) && + (ShStructget16of17(x): T16) == (ShStructget16of17(y): T16))) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget5of17(x): T5) } + (ShStructrev5of17((ShStructget5of17(x): T5)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget4of17(x): T4) } + (ShStructrev4of17((ShStructget4of17(x): T4)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget6of17(x): T6) } + (ShStructrev6of17((ShStructget6of17(x): T6)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget15of17(x): T15) } + (ShStructrev15of17((ShStructget15of17(x): T15)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget9of17(x): T9) } + (ShStructrev9of17((ShStructget9of17(x): T9)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget0of17(x): T0) } + (ShStructrev0of17((ShStructget0of17(x): T0)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget14of17(x): T14) } + (ShStructrev14of17((ShStructget14of17(x): T14)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget13of17(x): T13) } + (ShStructrev13of17((ShStructget13of17(x): T13)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } +} + +domain Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ { + + +} + +domain Emb_1_Intbyte$$$_S_$$$ { + + +} + +domain Emb_6_Interfaceempty_interface$$$$_E_$$$ { + + +} + +domain Emb_2_Intuint8$$$_S_$$$ { + + +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function scap(s: Slice[T]): Int + + function soffset(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + function slen(s: Slice[T]): Int + + axiom deconstructor_over_constructor_array { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a) + } + + axiom { + (forall s: Slice[T] :: + { (soffset(s): Int), (scap(s): Int) } + { (ShArraylen((sarray(s): ShArray[T])): Int) } + (soffset(s): Int) + (scap(s): Int) <= + (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom deconstructor_over_constructor_len { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (slen((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (slen((smake(a, o, l, c): Slice[T])): Int) == l) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: + { (slen(s): Int) } + { (scap(s): Int) } + (slen(s): Int) <= (scap(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom deconstructor_over_constructor_offset { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (soffset((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (soffset((smake(a, o, l, c): Slice[T])): Int) == o) + } + + axiom deconstructor_over_constructor_cap { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (scap((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (scap((smake(a, o, l, c): Slice[T])): Int) == c) + } + + axiom { + (forall s: Slice[T] :: + { (sarray(s): ShArray[T]) } + { (soffset(s): Int) } + { (slen(s): Int) } + { (scap(s): Int) } + s == + (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain ShStruct6[T0, T1, T2, T3, T4, T5] { + + function ShStructget1of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T1 + + function ShStructget0of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T0 + + function ShStructrev3of6(v3: T3): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev4of6(v4: T4): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget5of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T5 + + function ShStructget3of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T3 + + function ShStructget2of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T2 + + function ShStructrev0of6(v0: T0): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev2of6(v2: T2): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev1of6(v1: T1): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev5of6(v5: T5): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget4of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T4 + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget3of6(x): T3) } + (ShStructrev3of6((ShStructget3of6(x): T3)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget1of6(x): T1) } + (ShStructrev1of6((ShStructget1of6(x): T1)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5], y: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of6(x): T0) == (ShStructget0of6(y): T0) && + (ShStructget1of6(x): T1) == (ShStructget1of6(y): T1) && + (ShStructget2of6(x): T2) == (ShStructget2of6(y): T2) && + (ShStructget3of6(x): T3) == (ShStructget3of6(y): T3) && + (ShStructget4of6(x): T4) == (ShStructget4of6(y): T4) && + (ShStructget5of6(x): T5) == (ShStructget5of6(y): T5))) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget0of6(x): T0) } + (ShStructrev0of6((ShStructget0of6(x): T0)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget2of6(x): T2) } + (ShStructrev2of6((ShStructget2of6(x): T2)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget5of6(x): T5) } + (ShStructrev5of6((ShStructget5of6(x): T5)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget4of6(x): T4) } + (ShStructrev4of6((ShStructget4of6(x): T4)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraysecond(r: T): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraylen(a: ShArray[T]): Int + + axiom { + (forall a: ShArray[T] :: + { (ShArraylen(a): Int) } + (ShArraylen(a): Int) >= 0) + } + + axiom { + (forall a: ShArray[T], i: Int :: + { (ShArrayloc(a, i): T) } + 0 <= i && i < (ShArraylen(a): Int) ==> + (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && + (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && + (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && + (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && + (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && + (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget4of5(x): T4) } + (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget1of5(x): T1) } + (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget3of5(x): T3) } + (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget2of5(x): T2) } + (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget0of5(x): T0) } + (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } +} + +domain Types { + + unique function Decoded_daeaf66a_T_Types_tag(): Int + + function pointer_Types(p0: Types): Types + + unique function SCMPCode_840d9458_T_Types_tag(): Int + + function SCMPEcho_840d9458_T_Types(): Types + + unique function SCMPEcho_840d9458_T_Types_tag(): Int + + unique function SCMPExternalInterfaceDown_840d9458_T_Types_tag(): Int + + function Raw_daeaf66a_T_Types(): Types + + function HostIPv4_cd675838_T_Types(): Types + + unique function littleEndian_72f0d887_T_Types_tag(): Int + + function int_Types(): Types + + unique function Y$febd64e7_b41831d7__Types_tag(): Int + + function uint16_Types(): Types + + unique function empty_interface_Types_tag(): Int + + function Y$53a71dc3_5c610647__Types(): Types + + unique function EndToEndExtnSkipper_840d9458_T_Types_tag(): Int + + function SCMPTypeCode_840d9458_T_Types(): Types + + unique function AddrType_840d9458_T_Types_tag(): Int + + function SCION_840d9458_T_Types(): Types + + unique function Y$9c78df5f_b41831d7__Types_tag(): Int + + function Y$b28ae4_ac87dd1d__Types(): Types + + unique function Raw_daeaf66a_T_Types_tag(): Int + + function IA_cd675838_T_Types(): Types + + unique function Payload_b41831d7_T_Types_tag(): Int + + function HostSVC_cd675838_T_Types(): Types + + function SCMPDestinationUnreachable_840d9458_T_Types(): Types + + unique function rawPath_a6ceb89d_T_Types_tag(): Int + + unique function HopByHopExtn_840d9458_T_Types_tag(): Int + + function SCMP_840d9458_T_Types(): Types + + function nil_Types(): Types + + unique function Path_c6e60a1d_T_Types_tag(): Int + + function LayerType_b41831d7_T_Types(): Types + + function Y$c2e55be_72f0d887__Types(): Types + + unique function HostIPv6_cd675838_T_Types_tag(): Int + + function Y$8f734176_14a7fb6d__Types(): Types + + unique function HostIPv4_cd675838_T_Types_tag(): Int + + unique function SCMPInternalConnectivityDown_840d9458_T_Types_tag(): Int + + function Decoded_daeaf66a_T_Types(): Types + + unique function HostSVC_cd675838_T_Types_tag(): Int + + function byte_Types(): Types + + function integer_Types(): Types + + function Y$17800ab4_b41831d7__Types(): Types + + unique function LayerType_b41831d7_T_Types_tag(): Int + + unique function IPAddr_5c610647_T_Types_tag(): Int + + function Y$febd64e7_b41831d7__Types(): Types + + function Y$60c7bddc_b41831d7__Types(): Types + + function bigEndian_72f0d887_T_Types(): Types + + function Y$9127f611_b41831d7__Types(): Types + + unique function SCMP_840d9458_T_Types_tag(): Int + + function Y$49c4c25f_d3743b4f__Types(): Types + + unique function SCION_840d9458_T_Types_tag(): Int + + unique function Path_c385169_T_Types_tag(): Int + + function Y$6914870a_b41831d7__Types(): Types + + unique function HostNone_cd675838_T_Types_tag(): Int + + function nilDecodeFeedback_b41831d7_T_Types(): Types + + unique function Y$17800ab4_b41831d7__Types_tag(): Int + + function Path_c6e60a1d_T_Types(): Types + + function littleEndian_72f0d887_T_Types(): Types + + function HopByHopExtn_840d9458_T_Types(): Types + + unique function integer_Types_tag(): Int + + unique function IA_cd675838_T_Types_tag(): Int + + function empty_interface_Types(): Types + + function SCMPInternalConnectivityDown_840d9458_T_Types(): Types + + unique function Y$3191b69e_b41831d7__Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + function SCMPType_840d9458_T_Types(): Types + + unique function string_Types_tag(): Int + + function get_0_pointer_Types(t: Types): Types + + function SCMPParameterProblem_840d9458_T_Types(): Types + + function tag_Types(t: Types): Int + + function HostIPv6_cd675838_T_Types(): Types + + unique function Y$35202e5_cd675838__Types_tag(): Int + + unique function Y$49c4c25f_d3743b4f__Types_tag(): Int + + function Path_4cddb96f_T_Types(): Types + + function AddrType_840d9458_T_Types(): Types + + unique function HopByHopExtnSkipper_840d9458_T_Types_tag(): Int + + function string_Types(): Types + + unique function byte_Types_tag(): Int + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + unique function SCMPDestinationUnreachable_840d9458_T_Types_tag(): Int + + function Y$35202e5_cd675838__Types(): Types + + unique function SCMPTraceroute_840d9458_T_Types_tag(): Int + + unique function slice_Types_tag(): Int + + unique function Y$b28ae4_ac87dd1d__Types_tag(): Int + + unique function Y$558431e4_a6ceb89d__Types_tag(): Int + + unique function SCMPTypeCode_840d9458_T_Types_tag(): Int + + unique function Y$9127f611_b41831d7__Types_tag(): Int + + unique function pointer_Types_tag(): Int + + unique function nil_Types_tag(): Int + + function Y$558431e4_a6ceb89d__Types(): Types + + unique function EndToEndExtn_840d9458_T_Types_tag(): Int + + function L4ProtocolType_840d9458_T_Types(): Types + + function EndToEndExtn_840d9458_T_Types(): Types + + function SCMPPacketTooBig_840d9458_T_Types(): Types + + unique function Y$68d3cee9_b41831d7__Types_tag(): Int + + unique function UDPAddr_5c610647_T_Types_tag(): Int + + unique function BFD_6416454f_T_Types_tag(): Int + + function BFD_6416454f_T_Types(): Types + + function Y$68d3cee9_b41831d7__Types(): Types + + function Payload_b41831d7_T_Types(): Types + + function HostNone_cd675838_T_Types(): Types + + unique function Y$6914870a_b41831d7__Types_tag(): Int + + unique function SCMPParameterProblem_840d9458_T_Types_tag(): Int + + unique function Y$8f734176_14a7fb6d__Types_tag(): Int + + unique function uint16_Types_tag(): Int + + unique function SCMPType_840d9458_T_Types_tag(): Int + + function Path_c385169_T_Types(): Types + + unique function SCMPPacketTooBig_840d9458_T_Types_tag(): Int + + function EndToEndExtnSkipper_840d9458_T_Types(): Types + + function Y$9c78df5f_b41831d7__Types(): Types + + unique function int_Types_tag(): Int + + unique function Path_4cddb96f_T_Types_tag(): Int + + unique function L4ProtocolType_840d9458_T_Types_tag(): Int + + unique function Y$c2e55be_72f0d887__Types_tag(): Int + + function UDPAddr_5c610647_T_Types(): Types + + function Y$3191b69e_b41831d7__Types(): Types + + function SCMPExternalInterfaceDown_840d9458_T_Types(): Types + + unique function AS_cd675838_T_Types_tag(): Int + + unique function bigEndian_72f0d887_T_Types_tag(): Int + + function SCMPTraceroute_840d9458_T_Types(): Types + + unique function Y$53a71dc3_5c610647__Types_tag(): Int + + function AS_cd675838_T_Types(): Types + + function slice_Types(p0: Types): Types + + unique function nilDecodeFeedback_b41831d7_T_Types_tag(): Int + + function SCMPCode_840d9458_T_Types(): Types + + unique function Y$60c7bddc_b41831d7__Types_tag(): Int + + function IPAddr_5c610647_T_Types(): Types + + function HopByHopExtnSkipper_840d9458_T_Types(): Types + + function rawPath_a6ceb89d_T_Types(): Types + + axiom { + comparableType_Types(string_Types()) == true + } + + axiom { + tag_Types(BFD_6416454f_T_Types()) == BFD_6416454f_T_Types_tag() + } + + axiom { + comparableType_Types(L4ProtocolType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Path_c385169_T_Types()) == Path_c385169_T_Types_tag() + } + + axiom { + comparableType_Types(Y$b28ae4_ac87dd1d__Types()) == false + } + + axiom { + comparableType_Types(Y$6914870a_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(AS_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPType_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPTypeCode_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + comparableType_Types(Y$febd64e7_b41831d7__Types()) == false + } + + axiom { + tag_Types(Path_c6e60a1d_T_Types()) == Path_c6e60a1d_T_Types_tag() + } + + axiom { + comparableType_Types(BFD_6416454f_T_Types()) == true + } + + axiom { + comparableType_Types(Y$3191b69e_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(HostSVC_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(Path_4cddb96f_T_Types()) == true + } + + axiom { + comparableType_Types(UDPAddr_5c610647_T_Types()) == true + } + + axiom { + comparableType_Types(Y$60c7bddc_b41831d7__Types()) == false + } + + axiom { + tag_Types(HopByHopExtnSkipper_840d9458_T_Types()) == + HopByHopExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + (forall p0: Types :: + { pointer_Types(p0) } + tag_Types(pointer_Types(p0)) == pointer_Types_tag()) + } + + axiom { + comparableType_Types(Y$9127f611_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(Y$68d3cee9_b41831d7__Types()) == false + } + + axiom { + tag_Types(IA_cd675838_T_Types()) == IA_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(IPAddr_5c610647_T_Types()) == true + } + + axiom { + comparableType_Types(HopByHopExtn_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(IA_cd675838_T_Types()) == true + } + + axiom { + tag_Types(Y$3191b69e_b41831d7__Types()) == + Y$3191b69e_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(Decoded_daeaf66a_T_Types()) == true + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + comparableType_Types(Y$8f734176_14a7fb6d__Types()) == false + } + + axiom { + comparableType_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(Y$60c7bddc_b41831d7__Types()) == + Y$60c7bddc_b41831d7__Types_tag() + } + + axiom { + tag_Types(SCMPPacketTooBig_840d9458_T_Types()) == + SCMPPacketTooBig_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(HostIPv4_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(uint16_Types()) == true + } + + axiom { + tag_Types(Y$49c4c25f_d3743b4f__Types()) == + Y$49c4c25f_d3743b4f__Types_tag() + } + + axiom { + comparableType_Types(SCMPCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$68d3cee9_b41831d7__Types()) == + Y$68d3cee9_b41831d7__Types_tag() + } + + axiom { + tag_Types(Payload_b41831d7_T_Types()) == Payload_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(bigEndian_72f0d887_T_Types()) == + bigEndian_72f0d887_T_Types_tag() + } + + axiom { + tag_Types(AS_cd675838_T_Types()) == AS_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(LayerType_b41831d7_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(Path_c6e60a1d_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { comparableType_Types(slice_Types(p0)) } + comparableType_Types(slice_Types(p0)) == false) + } + + axiom { + tag_Types(HostNone_cd675838_T_Types()) == + HostNone_cd675838_T_Types_tag() + } + + axiom { + tag_Types(LayerType_b41831d7_T_Types()) == + LayerType_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(int_Types()) == int_Types_tag() + } + + axiom { + tag_Types(Path_4cddb96f_T_Types()) == Path_4cddb96f_T_Types_tag() + } + + axiom { + tag_Types(SCMP_840d9458_T_Types()) == SCMP_840d9458_T_Types_tag() + } + + axiom { + tag_Types(HostIPv6_cd675838_T_Types()) == + HostIPv6_cd675838_T_Types_tag() + } + + axiom { + tag_Types(SCMPTraceroute_840d9458_T_Types()) == + SCMPTraceroute_840d9458_T_Types_tag() + } + + axiom { + tag_Types(integer_Types()) == integer_Types_tag() + } + + axiom { + comparableType_Types(Y$17800ab4_b41831d7__Types()) == false + } + + axiom { + tag_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + SCMPDestinationUnreachable_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$c2e55be_72f0d887__Types()) == false + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } + + axiom { + tag_Types(SCMPEcho_840d9458_T_Types()) == + SCMPEcho_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$17800ab4_b41831d7__Types()) == + Y$17800ab4_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(SCMPPacketTooBig_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPTraceroute_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(bigEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(integer_Types()) == true + } + + axiom { + comparableType_Types(HopByHopExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + tag_Types(HostIPv4_cd675838_T_Types()) == + HostIPv4_cd675838_T_Types_tag() + } + + axiom { + tag_Types(SCMPTypeCode_840d9458_T_Types()) == + SCMPTypeCode_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Path_c385169_T_Types()) == true + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + comparableType_Types(SCMPEcho_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(littleEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(SCMP_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$558431e4_a6ceb89d__Types()) == + Y$558431e4_a6ceb89d__Types_tag() + } + + axiom { + tag_Types(SCMPParameterProblem_840d9458_T_Types()) == + SCMPParameterProblem_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(nilDecodeFeedback_b41831d7_T_Types()) == true + } + + axiom { + tag_Types(SCMPType_840d9458_T_Types()) == + SCMPType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$9c78df5f_b41831d7__Types()) == + Y$9c78df5f_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(Y$558431e4_a6ceb89d__Types()) == false + } + + axiom { + comparableType_Types(rawPath_a6ceb89d_T_Types()) == true + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + comparableType_Types(SCION_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$febd64e7_b41831d7__Types()) == + Y$febd64e7_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$c2e55be_72f0d887__Types()) == + Y$c2e55be_72f0d887__Types_tag() + } + + axiom { + tag_Types(SCION_840d9458_T_Types()) == SCION_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + SCMPExternalInterfaceDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(uint16_Types()) == uint16_Types_tag() + } + + axiom { + comparableType_Types(AddrType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(HopByHopExtn_840d9458_T_Types()) == + HopByHopExtn_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(HostIPv6_cd675838_T_Types()) == false + } + + axiom { + tag_Types(L4ProtocolType_840d9458_T_Types()) == + L4ProtocolType_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$9c78df5f_b41831d7__Types()) == false + } + + axiom { + tag_Types(rawPath_a6ceb89d_T_Types()) == rawPath_a6ceb89d_T_Types_tag() + } + + axiom { + tag_Types(EndToEndExtnSkipper_840d9458_T_Types()) == + EndToEndExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$b28ae4_ac87dd1d__Types()) == Y$b28ae4_ac87dd1d__Types_tag() + } + + axiom { + comparableType_Types(SCMPParameterProblem_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Decoded_daeaf66a_T_Types()) == Decoded_daeaf66a_T_Types_tag() + } + + axiom { + comparableType_Types(int_Types()) == true + } + + axiom { + comparableType_Types(EndToEndExtn_840d9458_T_Types()) == true + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + tag_Types(UDPAddr_5c610647_T_Types()) == UDPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(Y$49c4c25f_d3743b4f__Types()) == false + } + + axiom { + tag_Types(littleEndian_72f0d887_T_Types()) == + littleEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(Raw_daeaf66a_T_Types()) == true + } + + axiom { + tag_Types(Y$35202e5_cd675838__Types()) == + Y$35202e5_cd675838__Types_tag() + } + + axiom { + tag_Types(HostSVC_cd675838_T_Types()) == HostSVC_cd675838_T_Types_tag() + } + + axiom { + tag_Types(Y$6914870a_b41831d7__Types()) == + Y$6914870a_b41831d7__Types_tag() + } + + axiom { + tag_Types(nilDecodeFeedback_b41831d7_T_Types()) == + nilDecodeFeedback_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(SCMPCode_840d9458_T_Types()) == + SCMPCode_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + SCMPInternalConnectivityDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(AddrType_840d9458_T_Types()) == + AddrType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Raw_daeaf66a_T_Types()) == Raw_daeaf66a_T_Types_tag() + } + + axiom { + tag_Types(IPAddr_5c610647_T_Types()) == IPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(EndToEndExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + tag_Types(byte_Types()) == byte_Types_tag() + } + + axiom { + tag_Types(EndToEndExtn_840d9458_T_Types()) == + EndToEndExtn_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$8f734176_14a7fb6d__Types()) == + Y$8f734176_14a7fb6d__Types_tag() + } + + axiom { + comparableType_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(byte_Types()) == true + } + + axiom { + (forall x0: Types :: + { pointer_Types(x0) } + get_0_pointer_Types(pointer_Types(x0)) == x0) + } + + axiom { + tag_Types(string_Types()) == string_Types_tag() + } + + axiom { + comparableType_Types(Payload_b41831d7_T_Types()) == false + } + + axiom { + tag_Types(Y$9127f611_b41831d7__Types()) == + Y$9127f611_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(Y$53a71dc3_5c610647__Types()) == false + } + + axiom { + tag_Types(Y$53a71dc3_5c610647__Types()) == + Y$53a71dc3_5c610647__Types_tag() + } + + axiom { + (forall p0: Types :: + { slice_Types(p0) } + tag_Types(slice_Types(p0)) == slice_Types_tag()) + } + + axiom { + comparableType_Types(HostNone_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(Y$35202e5_cd675838__Types()) == false + } + + axiom { + (forall p0: Types :: + { comparableType_Types(pointer_Types(p0)) } + comparableType_Types(pointer_Types(p0)) == true) + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget3of4(x): T3) } + (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget1of4(x): T1) } + (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget0of4(x): T0) } + (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && + (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && + (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && + (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget2of4(x): T2) } + (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == + x) + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Emb_6_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain Emb_3_Intuint8$$$_S_$$$ { + + +} + +domain Tuple0 { + + +} + +domain Emb_6_Intbyte$$$_S_$$$ { + + +} + +domain Emb_4_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain ComparableInterfaceDomain { + + function comparableInterface(i: Tuple2[Ref, Types]): Bool + + axiom { + (forall i: Tuple2[Ref, Types] :: + { comparableInterface(i) } + comparableType_Types((get1of2(i): Types)) ==> comparableInterface(i)) + } +} + +domain Poly[T] { + + function box_Poly(x: T): Ref + + function unbox_Poly(y: Ref): T + + axiom { + (forall x: T :: + { (box_Poly(x): Ref) } + (unbox_Poly((box_Poly(x): Ref)): T) == x) + } +} + +domain String { + + unique function stringLit61646472(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e(): Int + + unique function stringLit5468757273646179(): Int + + unique function stringLit5765646e6573646179(): Int + + unique function stringLit556e6b6e6f776e4e65787448647254797065(): Int + + unique function stringLit496e76616c6964536f7572636541646472657373(): Int + + unique function stringLit45787465726e616c496e74657266616365446f776e(): Int + + unique function stringLit736f757263652061646472657373206d697373696e67(): Int + + unique function stringLit6970(): Int + + unique function stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e(): Int + + unique function stringLit556e6b6e6f776e486f704279486f704f7074696f6e(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e20(): Int + + unique function stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468(): Int + + unique function stringLit44657374696e6174696f6e556e726561636861626c65(): Int + + unique function stringLit62756666657220746f6f2073686f7274(): Int + + unique function stringLit5472616365726f7574655265706c79(): Int + + unique function stringLit496e76616c6964457874656e73696f6e486561646572(): Int + + unique function stringLit5343494f4e20686561646572206d697373696e67(): Int + + unique function stringLit616464724864724c656e(): Int + + unique function stringLit6d696e696e756d5f6c65677468(): Int + + unique function stringLit4e6f6e65(): Int + + unique function stringLit4f63746f626572(): Int + + unique function stringLit5061746845787069726564(): Int + + unique function stringLit4563686f5265706c79(): Int + + unique function stringLit6864724279746573(): Int + + unique function stringLit496e76616c6964486f704669656c644d4143(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit496e76616c69645365676d656e744368616e6765(): Int + + unique function stringLit5061636b6574546f6f426967(): Int + + unique function stringLit62696e6172792e4c6974746c65456e6469616e(): Int + + unique function stringLit424644(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032(): Int + + unique function stringLit496e76616c69645061636b657453697a65(): Int + + unique function stringLit5472616365726f75746552657175657374(): Int + + unique function stringLit556e6b6e6f776e5061746854797065(): Int + + unique function stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e(): Int + + unique function stringLit257328257329(): Int + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit456e6432456e64(): Int + + unique function stringLit4c6974746c65456e6469616e(): Int + + unique function stringLit4d6179(): Int + + unique function stringLit486f704279486f70(): Int + + unique function stringLit686561646572206c656e6774682065786365656473206d6178696d756d(): Int + + unique function stringLit6d6178(): Int + + unique function stringLit4a616e75617279(): Int + + unique function stringLit417072696c(): Int + + unique function stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564(): Int + + unique function stringLit256428256429(): Int + + unique function stringLit4a756e65(): Int + + unique function stringLit467269646179(): Int + + unique function stringLit506172616d6574657250726f626c656d(): Int + + unique function stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572(): Int + + unique function stringLit53657074656d626572(): Int + + unique function stringLit64657374696e6174696f6e2061646472657373206d697373696e67(): Int + + unique function stringLit496e7465726e616c436f6e6e6563746976697479446f776e(): Int + + unique function stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit426967456e6469616e(): Int + + unique function stringLit417567757374(): Int + + unique function stringLit4665627275617279(): Int + + unique function stringLit446563656d626572(): Int + + unique function stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034(): Int + + unique function stringLit556e6b6e6f776e41646472657373466f726d6174(): Int + + unique function stringLit496e76616c6964436f6d6d6f6e486561646572(): Int + + unique function stringLit6c656e(): Int + + unique function stringLit53756e646179(): Int + + unique function stringLit556e6b6e6f776e5343494f4e56657273696f6e(): Int + + unique function stringLit6d696e696d756d(): Int + + unique function stringLit4e6f6e4c6f63616c44656c6976657279(): Int + + unique function stringLit554e4b4e4f574e2028256429(): Int + + unique function stringLit436d644864724c656e(): Int + + unique function stringLit5361747572646179(): Int + + unique function stringLit6578706563746564(): Int + + unique function stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468(): Int + + unique function stringLit257328436f64653a20256429(): Int + + unique function stringLit6d696e(): Int + + unique function stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(): Int + + unique function stringLit4572726f6e656f75734865616465724669656c64(): Int + + unique function stringLit466c6f7749445265717569726564(): Int + + unique function stringLit4d6f6e646179(): Int + + unique function stringLit4a756c79(): Int + + unique function stringLit756470(): Int + + unique function stringLit4563686f52657175657374(): Int + + unique function stringLit(): Int + + unique function stringLit756e737570706f727465642061646472657373(): Int + + unique function stringLit496e76616c696450617468(): Int + + unique function stringLit54756573646179(): Int + + unique function stringLit544350(): Int + + unique function stringLit4e6f76656d626572(): Int + + unique function stringLit556e6b6e6f776e456e64546f456e644f7074696f6e(): Int + + unique function stringLit74797065(): Int + + unique function stringLit2573282564295c6e5061796c6f61643a202573(): Int + + unique function stringLit496e76616c696441646472657373486561646572(): Int + + unique function stringLit53434d50(): Int + + unique function stringLit4d61726368(): Int + + unique function stringLit4f7074696f6e206e6f7420666f756e64(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365(): Int + + unique function stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573(): Int + + unique function stringLit61637475616c(): Int + + unique function stringLit62696e6172792e426967456e6469616e(): Int + + unique function stringLit554450(): Int + + unique function stringLit496e76616c696444657374696e6174696f6e41646472657373(): Int + + axiom { + strLen(stringLit5061746845787069726564()) == 11 + } + + axiom { + strLen(stringLit74797065()) == 4 + } + + axiom { + strLen(stringLit6578706563746564()) == 8 + } + + axiom { + strLen(stringLit756470()) == 3 + } + + axiom { + strLen(stringLit436d644864724c656e()) == 9 + } + + axiom { + strLen(stringLit62696e6172792e426967456e6469616e()) == 16 + } + + axiom { + strLen(stringLit496e76616c696441646472657373486561646572()) == 20 + } + + axiom { + strLen(stringLit257328436f64653a20256429()) == 12 + } + + axiom { + strLen(stringLit4563686f52657175657374()) == 11 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit686561646572206c656e6774682065786365656473206d6178696d756d()) == + 29 + } + + axiom { + strLen(stringLit496e76616c6964457874656e73696f6e486561646572()) == 22 + } + + axiom { + strLen(stringLit61637475616c()) == 6 + } + + axiom { + strLen(stringLit4d61726368()) == 5 + } + + axiom { + strLen(stringLit62696e6172792e4c6974746c65456e6469616e()) == 19 + } + + axiom { + strLen(stringLit467269646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032()) == + 47 + } + + axiom { + strLen(stringLit554450()) == 3 + } + + axiom { + strLen(stringLit426967456e6469616e()) == 9 + } + + axiom { + strLen(stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e()) == + 32 + } + + axiom { + strLen(stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572()) == + 47 + } + + axiom { + strLen(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c()) == + 28 + } + + axiom { + strLen(stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573()) == + 38 + } + + axiom { + strLen(stringLit4a616e75617279()) == 7 + } + + axiom { + strLen(stringLit4d6179()) == 3 + } + + axiom { + strLen(stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564()) == + 39 + } + + axiom { + strLen(stringLit756e737570706f727465642061646472657373()) == 19 + } + + axiom { + strLen(stringLit4f63746f626572()) == 7 + } + + axiom { + strLen(stringLit44657374696e6174696f6e556e726561636861626c65()) == 22 + } + + axiom { + strLen(stringLit496e7465726e616c436f6e6e6563746976697479446f776e()) == + 24 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365()) == + 30 + } + + axiom { + strLen(stringLit466c6f7749445265717569726564()) == 14 + } + + axiom { + strLen(stringLit4a756c79()) == 4 + } + + axiom { + strLen(stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034()) == + 51 + } + + axiom { + strLen(stringLit486f704279486f70()) == 8 + } + + axiom { + strLen(stringLit424644()) == 3 + } + + axiom { + strLen(stringLit53434d50()) == 4 + } + + axiom { + strLen(stringLit556e6b6e6f776e5061746854797065()) == 15 + } + + axiom { + strLen(stringLit456e6432456e64()) == 7 + } + + axiom { + strLen(stringLit5361747572646179()) == 8 + } + + axiom { + strLen(stringLit496e76616c6964436f6d6d6f6e486561646572()) == 19 + } + + axiom { + strLen(stringLit556e6b6e6f776e5343494f4e56657273696f6e()) == 19 + } + + axiom { + strLen(stringLit446563656d626572()) == 8 + } + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + strLen(stringLit5468757273646179()) == 8 + } + + axiom { + strLen(stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit6970()) == 2 + } + + axiom { + strLen(stringLit554e4b4e4f574e2028256429()) == 12 + } + + axiom { + strLen(stringLit62756666657220746f6f2073686f7274()) == 16 + } + + axiom { + strLen(stringLit5472616365726f7574655265706c79()) == 15 + } + + axiom { + strLen(stringLit64657374696e6174696f6e2061646472657373206d697373696e67()) == + 27 + } + + axiom { + strLen(stringLit256428256429()) == 6 + } + + axiom { + strLen(stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468()) == + 47 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e()) == + 52 + } + + axiom { + strLen(stringLit53657074656d626572()) == 9 + } + + axiom { + strLen(stringLit4563686f5265706c79()) == 9 + } + + axiom { + strLen(stringLit5061636b6574546f6f426967()) == 12 + } + + axiom { + strLen(stringLit496e76616c696450617468()) == 11 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365()) == + 31 + } + + axiom { + strLen(stringLit2573282564295c6e5061796c6f61643a202573()) == 19 + } + + axiom { + strLen(stringLit417072696c()) == 5 + } + + axiom { + strLen(stringLit4665627275617279()) == 8 + } + + axiom { + strLen(stringLit257328257329()) == 6 + } + + axiom { + strLen(stringLit53756e646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e20()) == + 26 + } + + axiom { + strLen(stringLit4f7074696f6e206e6f7420666f756e64()) == 16 + } + + axiom { + strLen(stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468()) == + 55 + } + + axiom { + strLen(stringLit45787465726e616c496e74657266616365446f776e()) == 21 + } + + axiom { + strLen(stringLit4e6f76656d626572()) == 8 + } + + axiom { + strLen(stringLit556e6b6e6f776e41646472657373466f726d6174()) == 20 + } + + axiom { + strLen(stringLit54756573646179()) == 7 + } + + axiom { + strLen(stringLit4d6f6e646179()) == 6 + } + + axiom { + strLen(stringLit556e6b6e6f776e456e64546f456e644f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit496e76616c696444657374696e6174696f6e41646472657373()) == + 25 + } + + axiom { + strLen(stringLit6d696e()) == 3 + } + + axiom { + strLen(stringLit6d6178()) == 3 + } + + axiom { + strLen(stringLit5472616365726f75746552657175657374()) == 17 + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704279486f704f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit616464724864724c656e()) == 10 + } + + axiom { + strLen(stringLit4e6f6e4c6f63616c44656c6976657279()) == 16 + } + + axiom { + strLen(stringLit496e76616c6964536f7572636541646472657373()) == 20 + } + + axiom { + strLen(stringLit4572726f6e656f75734865616465724669656c64()) == 20 + } + + axiom { + strLen(stringLit417567757374()) == 6 + } + + axiom { + strLen(stringLit61646472()) == 4 + } + + axiom { + strLen(stringLit4c6974746c65456e6469616e()) == 12 + } + + axiom { + strLen(stringLit4a756e65()) == 4 + } + + axiom { + strLen(stringLit4e6f6e65()) == 4 + } + + axiom { + strLen(stringLit6d696e696d756d()) == 7 + } + + axiom { + strLen(stringLit496e76616c69645061636b657453697a65()) == 17 + } + + axiom { + strLen(stringLit736f757263652061646472657373206d697373696e67()) == 22 + } + + axiom { + strLen(stringLit6c656e()) == 3 + } + + axiom { + strLen(stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e()) == + 43 + } + + axiom { + strLen(stringLit5343494f4e20686561646572206d697373696e67()) == 20 + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit496e76616c6964486f704669656c644d4143()) == 18 + } + + axiom { + strLen(stringLit556e6b6e6f776e4e65787448647254797065()) == 18 + } + + axiom { + strLen(stringLit5765646e6573646179()) == 9 + } + + axiom { + strLen(stringLit544350()) == 3 + } + + axiom { + strLen(stringLit6d696e696e756d5f6c65677468()) == 13 + } + + axiom { + strLen(stringLit496e76616c69645365676d656e744368616e6765()) == 20 + } + + axiom { + strLen(stringLit506172616d6574657250726f626c656d()) == 16 + } + + axiom { + strLen(stringLit6864724279746573()) == 8 + } +} + +domain PolyAdditionalAxioms { + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct0) } + (box_Poly((unbox_Poly(y): ShStruct0)): Ref) == y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == Path_4cddb96f_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[Ref, Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Int) } + (box_Poly((unbox_Poly(y): Int)): Ref) == y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == nilDecodeFeedback_b41831d7_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Slice[Ref]) } + (box_Poly((unbox_Poly(y): Slice[Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref) == + y) + } +} + +field Intuint16$$$$_E_$$$: Int + +field Bool$$$$_E_$$$: Bool + +field SliceIntbyte$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint32$$$$_E_$$$: Int + +field SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + +field SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint64$$$$_E_$$$: Int + +field DefinedPath_a6ceb89d_T$$$$_E_$$$: Tuple2[Ref, Types] + +field DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$: Int + +field Intuint8$$$$_E_$$$: Int + +field DefinedType_a6ceb89d_T$$$$_E_$$$: Int + +field PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + +field SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + +field PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field Interfaceempty_interface$$$$_E_$$$: Tuple2[Ref, Types] + +field SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct4[Ref, Ref, Ref, Ref]] + +field PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field DefinedAddrType_840d9458_T$$$$_E_$$$: Int + +field DefinedIA_cd675838_T$$$$_E_$$$: Int + +field Intbyte$$$$_E_$$$: Int + +field Intint$$$$_E_$$$: Int + +field DefinedL4ProtocolType_840d9458_T$$$$_E_$$$: Int + +// decreases _ +function unbox_Emb_6_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(y: Emb_6_Interfaceempty_interface$$$$_E_$$$): Seq[Tuple2[Ref, Types]] + ensures |result| == 6 + ensures box_Emb_6_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + y + + +// decreases _ +function shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$(): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$] + ensures (ShStructget0of3(result): Ref) == null && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Emb_3_Intuint8$$$_S_$$$) == + box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(arrayNil_3_Intuint8$$$_S_$$$()) + + +// decreases +function addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Int + requires acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + ensures 0 <= result +{ + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) +} + +// decreases +function assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(b: Bool, + y: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMBase(s_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(s_V0), wildcard) + ensures result >= 4 + ensures result == + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +{ + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +} + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_4_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 4 || + result == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases _ +function shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[Ref, Ref] + ensures (ShStructget0of2(result): Ref) == null && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_4_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 4 || + x == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases +function PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMRaw(s_V0, buf_V0) +} + +// decreases _ +function box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || + x == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases +function assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(b: Bool, y: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref] + requires b +{ + y +} + +// decreases +function Length_840d9458_MAddrType(tl_V0: Int): Int + ensures result == 4 * (1 + BitAnd3_ca158f5e_F(tl_V0)) + ensures tl_V0 == 0 ==> result == 4 + ensures tl_V0 == 4 ==> result == 4 + ensures tl_V0 == 3 ==> result == 4 * 4 +{ + 4 * (1 + intBitwiseAnd(tl_V0, 3)) +} + +// decreases _ +function Len_c385169_PMPath(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + ensures result == 32 +{ + 32 +} + +// decreases +function getPathPure_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + pathType_V0: Int): Tuple2[Ref, Types] + requires 0 <= pathType_V0 && pathType_V0 < 256 + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, wildcard) + requires !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) + requires acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) +{ + (pathType_V0 < + (slen((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ? + (unfolding acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) in + (ShArrayloc((sarray((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + pathType_V0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) : + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) +} + +// decreases _ +function arrayNil_6_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function sliceDefault_Intbyte$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_1_Intbyte$$$_S_$$$())) + + +// decreases _ +function arrayNil_1_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function arrayNil_3_Intuint8$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function assertArg2_Tuple0(b: Bool, y: Tuple0): Tuple0 + requires b +{ + y +} + +// decreases +function PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c6e60a1d_PMPath(p_V0, ubuf_V0) +} + +// decreases _ +function shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + ensures (ShStructget0of2(result): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) == + shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$() && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_3_Intuint8$$$_S_$$$ + requires (ShArraylen(x): Int) == 3 || x == arrayNil_3_Intuint8$$$_S_$$$() + ensures unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases _ +function intBitwiseAnd(left: Int, right: Int): Int + + +// decreases +function InferSizeUb_c385169_PMPath(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ub_V0: Slice[Ref]): Bool + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), pointer_Types(Path_c385169_T_Types())): Tuple2[Ref, Types]), + ub_V0), wildcard) + ensures result +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), pointer_Types(Path_c385169_T_Types())): Tuple2[Ref, Types]), + ub_V0), wildcard) in + Len_c385169_PMPath(o_V0, ub_V0) <= (slen(ub_V0): Int)) +} + +// decreases +function BitAnd3_ca158f5e_F(b_V0: Int): Int + ensures 0 <= intBitwiseAnd(b_V0, 3) && intBitwiseAnd(b_V0, 3) <= 3 + ensures b_V0 == 0 ==> result == 0 + ensures b_V0 == 3 ==> result == 3 + ensures b_V0 == 4 ==> result == 0 + ensures result == intBitwiseAnd(b_V0, 3) + + +// decreases _ +function shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$(): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref] + ensures (ShStructget0of3(result): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$]) == + shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Ref) == null + + +// decreases +function assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(b: Bool, + y: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + requires b +{ + y +} + +// decreases _ +function shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$(): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures (ShStructget0of17(result): ShStruct2[Ref, Ref]) == + shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of17(result): Ref) == null && + (ShStructget2of17(result): Ref) == null && + (ShStructget3of17(result): Ref) == null && + (ShStructget4of17(result): Ref) == null && + (ShStructget5of17(result): Ref) == null && + (ShStructget6of17(result): Ref) == null && + (ShStructget7of17(result): Ref) == null && + (ShStructget8of17(result): Ref) == null && + (ShStructget9of17(result): Ref) == null && + (ShStructget10of17(result): Ref) == null && + (ShStructget11of17(result): Ref) == null && + (ShStructget12of17(result): Ref) == null && + (ShStructget13of17(result): Ref) == null && + (ShStructget14of17(result): Ref) == null && + (ShStructget15of17(result): Ref) == null && + (ShStructget16of17(result): Ref) == null + + +function ssliceFromArray_Ref(a: ShArray[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (ShArraylen(a): Int) + ensures (soffset(result): Int) == i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (ShArraylen(a): Int) - i + ensures (sarray(result): ShArray[Ref]) == a + + +// decreases _ +function box_Emb_6_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(x: Seq[Tuple2[Ref, Types]]): Emb_6_Interfaceempty_interface$$$$_E_$$$ + requires |x| == 6 + ensures unbox_Emb_6_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + x + + +// decreases _ +function intShiftRight(left: Int, right: Int): Int + requires right >= 0 + + +// decreases _ +function Len_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures !hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> result == 16 + ensures hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> + result == + 16 + + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMRaw((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, + ssliceFromSlice_Ref(ubuf_V0, 16, (slen(ubuf_V0): Int)))) + + +// decreases +function Has3Bits_840d9458_MAddrType(a_V0: Int): Bool +{ + 0 <= a_V0 && a_V0 <= 7 +} + +// decreases _ +function ssliceFromSlice_Ref(s: Slice[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (scap(s): Int) + ensures (soffset(result): Int) == (soffset(s): Int) + i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (scap(s): Int) - i + ensures (sarray(result): ShArray[Ref]) == (sarray(s): ShArray[Ref]) + + +// decreases _ +function Len_daeaf66a_PMRaw(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases +function AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + (unfolding acc(HeaderMem_840d9458_PMSCION(s_V0, ssliceFromSlice_Ref(ubuf_V0, + 12, (slen(ubuf_V0): Int))), wildcard) in + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$))) +} + +// decreases _ +function typeOfInterface_Y$558431e4_a6ceb89d_(itf: Tuple2[Ref, Types]): Types + ensures result == (get1of2(itf): Types) + ensures behavioral_subtype_Types(result, Y$558431e4_a6ceb89d__Types()) + + +// decreases _ +function sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$())) + + +// decreases _ +function unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(y: Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases +function assertArg2_ShStruct2_RefRef(b: Bool, y: ShStruct2[Ref, Ref]): ShStruct2[Ref, Ref] + requires b +{ + y +} + +// decreases _ +function box_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_6_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 6 || + x == arrayNil_6_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases +function IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf), wildcard) + + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(y: Emb_4_Interfaceempty_interface$$$$_E_$$$): Seq[Tuple2[Ref, Types]] + ensures |result| == 4 + ensures box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + y + + +// decreases _ +function arrayNil_4_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), pointer_Types(Path_c385169_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c385169_PMPath(o_V0, ubuf_V0) +} + +// decreases +function getNumHops_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases +function getNumINF_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result && result <= 3 +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases _ +function Len_4cddb96f_MPath(o_V0: Tuple0, underlyingBuf_V0: Slice[Ref]): Int + ensures 0 <= result +{ + 0 +} + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(x: Seq[Tuple2[Ref, Types]]): Emb_4_Interfaceempty_interface$$$$_E_$$$ + requires |x| == 4 + ensures unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + x + + +// decreases _ +function unbox_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_6_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 6 || + result == arrayNil_6_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases _ +function Len_a6ceb89d_PMrawPath(p_V0: ShStruct2[Ref, Ref], underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) in + (slen((ShStructget0of2(p_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) +} + +// decreases _ +function Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf: Tuple2[Ref, Types], + underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 + + +// decreases _ +function arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function hasScionPath_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + buf_V0: Slice[Ref]): Bool + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result == + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +} + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +// decreases +function pathPoolInitialized_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Bool + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) +{ + !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) +} + +// decreases +function PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct2[Ref, Ref], + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_a6ceb89d_PMrawPath(p_V0, underlyingBuf_V0) +} + +// decreases +function Len_a6ceb89d_SY$558431e4_a6ceb89d_(thisItf: Tuple2[Ref, Types], underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 +{ + (true ? + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ? + Len_a6ceb89d_PMrawPath(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(rawPath_a6ceb89d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Raw_daeaf66a_T_Types()) ? + Len_daeaf66a_PMRaw(assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Raw_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c6e60a1d_T_Types()) ? + Len_c6e60a1d_PMPath(assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c6e60a1d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c385169_T_Types()) ? + Len_c385169_PMPath(assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c385169_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + Len_daeaf66a_PMDecoded(assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Decoded_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + Path_4cddb96f_T_Types() ? + Len_4cddb96f_MPath(assertArg2_Tuple0(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + Path_4cddb96f_T_Types()), (unbox_Poly((get0of2(thisItf): Ref)): Tuple0)), + underlyingBuf_V0) : + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, + underlyingBuf_V0)))))))) +} + +// decreases _ +function unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_1_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_Intbyte$$$_S_$$$() + ensures box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +// decreases _ +function box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || x == arrayNil_1_Intbyte$$$_S_$$$() + ensures unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases +function PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMDecoded(d_V0, ubuf_V0) +} + +// decreases +function AddrHdrLen_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref], insideSlayers_V0: Bool): Int + requires insideSlayers_V0 ==> + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires insideSlayers_V0 ==> + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires !insideSlayers_V0 ==> + acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures insideSlayers_V0 ==> + result == addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) + ensures !insideSlayers_V0 ==> + result == AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0, ubuf_V0) + ensures 0 <= result + + +// decreases +function assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(b: Bool, + y: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMDecoded(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases +function DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: Tuple0, + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), Path_4cddb96f_T_Types()): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_4cddb96f_MPath(o_V0, underlyingBuf_V0) +} + +// decreases _ +function unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(y: Emb_3_Intuint8$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 3 || + result == arrayNil_3_Intuint8$$$_S_$$$() + ensures box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == y + + +predicate dynamic_pred_0(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == pointer_Types(EndToEndExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMEndToEndOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(EndToEndExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMHopByHopOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == pointer_Types(SCION_840d9458_T_Types()) ? + acc((ShStructget1of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget2of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget4of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget6of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write) && + acc((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ && + 0 <= + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) && + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 <= + (slen(x0): Int) && + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 && + acc((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(dynamic_pred_6((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)), write) && + (let fn$$0 == + ((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + (ShStructget0of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4) && + (ShStructget1of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4, (slen(x0): Int)) && + 12 <= (slen(x0): Int) && + acc(HeaderMem_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + ssliceFromSlice_Ref(x0, 12, (slen(x0): Int))), write) && + 0 <= + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ && + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ < + 256 && + acc((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + (!pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + acc(PathPoolMem_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + (pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + !((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + !((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$), write) && + (ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + getPathPure_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$)) && + (typeOfInterface_Y$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) ==> + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)) <= + (slen(x0): Int)) : + ((get1of2(i): Types) == pointer_Types(SCMP_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$()) ==> + acc(ChecksumMem_840d9458_PMSCION((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$), write)) : + ((get1of2(i): Types) == + pointer_Types(SCMPDestinationUnreachable_840d9458_T_Types()) ? + acc(Mem_840d9458_PMBaseLayer((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct2[Ref, Ref]])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPEcho_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 16), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 24), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPPacketTooBig_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPParameterProblem_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPTraceroute_840d9458_T_Types()) ? + acc((ShStructget1of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget4of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 20), write) : + ((get1of2(i): Types) == + Payload_b41831d7_T_Types() ? + x0 == + (unbox_Poly((get0of2(i): Ref)): Slice[Ref]) : + acc(dynamic_pred_0_unknown(i, x0), write))))))))))))))) +} + +predicate PathPoolMem_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types]) { + (pathPool_V0 == sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$() ==> + pathPoolRaw_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + (!(pathPool_V0 == sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) ==> + (slen(pathPool_V0): Int) == 4 && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + Path_4cddb96f_T_Types() && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) && + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Raw_daeaf66a_T_Types()) && + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c6e60a1d_T_Types()) && + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) && + !(pathPoolRaw_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(dynamic_pred_2(pathPoolRaw_V0), write)) +} + +predicate HeaderMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) { + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) <= (slen(ubuf_V0): Int) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) == + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) <= + (slen(ubuf_V0): Int) && + 0 < + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < 2 * 8 && + 2 * 8 < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) <= + (slen(ubuf_V0): Int) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) && + (ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$), + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) +} + +predicate dynamic_pred_3(i: Tuple2[Ref, Types]) { + ((get1of2(i): Types) == pointer_Types(EndToEndExtn_840d9458_T_Types()) ? + (let fn$$0 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])) in + (let fn$$1 == + ((ShStructget0of2(fn$$0): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])) in + (let fn$$2 == + ((ShStructget0of4(fn$$1): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$2): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$2): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + acc((ShStructget1of4(fn$$1): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$1): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$1): Ref).Intint$$$$_E_$$$, write)) && + acc((ShStructget1of2(fn$$0): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write)) : + ((get1of2(i): Types) == + pointer_Types(EndToEndExtnSkipper_840d9458_T_Types()) ? + (let fn$$3 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])) in + (let fn$$4 == + ((ShStructget0of1(fn$$3): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])) in + (let fn$$5 == + ((ShStructget0of4(fn$$4): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$5): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$5): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + acc((ShStructget1of4(fn$$4): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$4): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$4): Ref).Intint$$$$_E_$$$, write))) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtn_840d9458_T_Types()) ? + (let fn$$6 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])) in + (let fn$$7 == + ((ShStructget0of2(fn$$6): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])) in + (let fn$$8 == + ((ShStructget0of4(fn$$7): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$8): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$8): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + acc((ShStructget1of4(fn$$7): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$7): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$7): Ref).Intint$$$$_E_$$$, write)) && + acc((ShStructget1of2(fn$$6): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write)) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtnSkipper_840d9458_T_Types()) ? + (let fn$$9 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])) in + (let fn$$10 == + ((ShStructget0of1(fn$$9): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])) in + (let fn$$11 == + ((ShStructget0of4(fn$$10): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$11): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$11): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + acc((ShStructget1of4(fn$$10): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$10): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$10): Ref).Intint$$$$_E_$$$, write))) : + ((get1of2(i): Types) == pointer_Types(SCION_840d9458_T_Types()) ? + acc((ShStructget1of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget2of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget4of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget6of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write) && + acc((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget10of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget11of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget12of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget13of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + (let fn$$12 == + ((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$12): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$12): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + acc((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + acc(PathPoolMem_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) : + ((get1of2(i): Types) == pointer_Types(SCMP_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + (let fn$$13 == + ((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$13): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$13): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$()) ==> + acc(ChecksumMem_840d9458_PMSCION((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$), write)) : + acc(dynamic_pred_3_unknown(i), write))))))) +} + +predicate Mem_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) { + acc((ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget0of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget1of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 0): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 1): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 2): Ref).Intuint8$$$$_E_$$$, write) && + 0 <= (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ && + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ <= 3 && + 0 <= (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$ && + (0 < (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ ==> + 0 < (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +predicate AbsSlice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int) { + 0 <= start_V0 && start_V0 <= end_V0 && end_V0 <= (scap(s_V0): Int) && + (forall i_V1: Int :: + { (ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), i_V1)): Ref) } + start_V0 <= i_V1 && i_V1 < end_V0 ==> + acc((ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, write)) +} + +predicate PathPoolMemExceptOne_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types], + pathType_V0: Int) { + !(pathPool_V0 == sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + (slen(pathPool_V0): Int) == 4 && + (acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + Path_4cddb96f_T_Types()) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) && + (!(pathType_V0 == 2) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Raw_daeaf66a_T_Types()) && + (!(pathType_V0 == 1) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c6e60a1d_T_Types()) && + (!(pathType_V0 == 3) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + !(pathPoolRaw_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + (pathType_V0 < (slen(pathPool_V0): Int) ==> + acc(dynamic_pred_2(pathPoolRaw_V0), write)) +} + +predicate dynamic_pred_6(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == Path_4cddb96f_T_Types() ? + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(Path_4cddb96f_T_Types()) ? + (let fn$$0 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct0)) in + true) && + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(rawPath_a6ceb89d_T_Types()) ? + (let fn$$1 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$1): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$1): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write)) && + (ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + x0 : + ((get1of2(i): Types) == pointer_Types(Path_c385169_T_Types()) ? + (let fn$$2 == + ((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct4[Ref, Ref, Ref, Ref])) in + acc((ShStructget0of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget1of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$2): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$2): Ref).Intuint32$$$$_E_$$$, write)) && + acc(Mem_a6ceb89d_PMHopField((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + acc(Mem_a6ceb89d_PMHopField((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + 32 <= (slen(x0): Int) : + ((get1of2(i): Types) == pointer_Types(Path_c6e60a1d_T_Types()) ? + (let fn$$3 == + ((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write)) && + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, write) && + !((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$()) && + 16 <= (slen(x0): Int) && + acc(dynamic_pred_6((tuple2((box_Poly((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$): Ref), + pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), ssliceFromSlice_Ref(x0, + 16, (slen(x0): Int))), write) : + ((get1of2(i): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) <= + 3 && + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget0of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget1of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget2of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget3of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write))) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumHops_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + (forall i_V2: Int :: + { (ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) } + 0 <= i_V2 && + i_V2 < + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_a6ceb89d_PMHopField((ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write)) : + ((get1of2(i): Types) == pointer_Types(Raw_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) <= + (slen(x0): Int) && + (ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + Len_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) : + acc(dynamic_pred_6_unknown(i, x0), write)))))))) +} + +predicate dynamic_pred_0_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate ChecksumMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) + +predicate Mem_840d9458_PMHopByHopOption(o_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2325_V0: Int) + +predicate dynamic_pred_10(i: Tuple2[Ref, Types]) + +predicate Mem_840d9458_PMextnBase(e_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) + +predicate Mem_a6ceb89d_PMHopField(h_V0: ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) + +predicate Mem_840d9458_PMEndToEndOption(e_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2372_V0: Int) + +predicate ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +predicate Mem_840d9458_PMBaseLayer(b_V0: ShStruct2[Ref, Ref], ub_V0: Slice[Ref], + breakPoint_V0: Int) + +predicate dynamic_pred_6_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate dynamic_pred_2(i: Tuple2[Ref, Types]) + +predicate dynamic_pred_3_unknown(i: Tuple2[Ref, Types]) + +// decreases +method DecodeAddrHdr_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + data_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) + requires acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) + requires acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), 1 / + 4096) + ensures acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), 1 / + 4096) + ensures res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + acc(HeaderMem_840d9458_PMSCION(s_V0, data_V0), write) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) + + +// decreases +method SetTruncated_b41831d7_SY$9127f611_b41831d7_(thisItf: Tuple2[Ref, Types]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_10(thisItf), write) + ensures acc(dynamic_pred_10(thisItf), write) + + +// decreases +method PathPoolMemExchange_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + pathType_V0: Int, p_V0: Tuple2[Ref, Types]) + requires 0 <= pathType_V0 && pathType_V0 < 256 + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, 1 / + 4194304) + requires pathPoolInitialized_840d9458_PMSCION(s_V0) ==> + acc(dynamic_pred_2(p_V0), write) && + acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), write) && + p_V0 == getPathPure_840d9458_PMSCION(s_V0, pathType_V0) + requires !pathPoolInitialized_840d9458_PMSCION(s_V0) ==> + acc(PathPoolMem_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) + ensures acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, 1 / + 4194304) + ensures acc(PathPoolMem_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) + + +// decreases +method CombineAtIndex_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + idx_V0: Int, p_V0: Perm) + requires 0 / 1 <= p_V0 + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, start_V0, idx_V0), p_V0) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, idx_V0, end_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, start_V0, end_V0), p_V0) + + +// decreases +method SplitRange_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires 0 <= start_V0 && start_V0 <= end_V0 && + end_V0 <= (slen(s_V0): Int) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, (slen(s_V0): Int)), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, end_V0 - start_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, start_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, end_V0, (slen(s_V0): Int)), p_V0) + + +// decreases +method PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$_DecodeFromBytes_840d9458_PMSCION_DecodeFromBytes_b41831d7_SY$60c7bddc_b41831d7__proof(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + data_V0: Slice[Ref], df_V0: Tuple2[Ref, Types]) + returns (res_V0: Tuple2[Ref, Types]) + requires acc(dynamic_pred_3((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + requires !(df_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), write) + requires acc(dynamic_pred_10(df_V0), write) + ensures acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), write) + ensures acc(dynamic_pred_10(df_V0), write) + ensures res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + data_V0), write) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(dynamic_pred_3((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) +{ + inhale res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl + + + + // res_V0 = s_V0DecodeFromBytes(data_V0, df_V0) + res_V0 := DecodeFromBytes_840d9458_PMSCION(s_V0, data_V0, df_V0) + label returnLabel +} + +// decreases +method DecodeFromBytes_840d9458_PMSCION$L$26$1(data_V0_CN1$in: Slice[Ref], s_V0_CN0$in: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) + requires acc((ShStructget4of17(s_V0_CN0$in): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget5of17(s_V0_CN0$in): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget6of17(s_V0_CN0$in): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget7of17(s_V0_CN0$in): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write) + requires acc((ShStructget8of17(s_V0_CN0$in): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget9of17(s_V0_CN0$in): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, write) + requires 12 <= (slen(data_V0_CN1$in): Int) && + acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1$in, 0, (slen(data_V0_CN1$in): Int)), 1 / + 131072) + ensures acc((ShStructget4of17(s_V0_CN0$in): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget5of17(s_V0_CN0$in): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget6of17(s_V0_CN0$in): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget7of17(s_V0_CN0$in): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write) + ensures acc((ShStructget8of17(s_V0_CN0$in): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget9of17(s_V0_CN0$in): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, write) + ensures 12 <= (slen(data_V0_CN1$in): Int) && + acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1$in, 0, (slen(data_V0_CN1$in): Int)), 1 / + 131072) + ensures Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0_CN0$in): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0_CN0$in): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + ensures 0 <= + (ShStructget7of17(s_V0_CN0$in): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ && + (ShStructget7of17(s_V0_CN0$in): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ < + 256 + + +// decreases +method getPath_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + pathType_V0: Int) + returns (res_V0: Tuple2[Ref, Types], err_V0: Tuple2[Ref, Types]) + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, 1 / + 4194304) + requires acc(PathPoolMem_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) + requires 0 <= pathType_V0 && pathType_V0 < 256 + ensures acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, 1 / + 4194304) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + acc(dynamic_pred_2(res_V0), write) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !pathPoolInitialized_840d9458_PMSCION(s_V0) ==> + acc(PathPoolMem_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + pathPoolInitialized_840d9458_PMSCION(s_V0) ==> + acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), write) && + res_V0 == getPathPure_840d9458_PMSCION(s_V0, pathType_V0) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(PathPoolMem_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(err_V0), write) + + +// decreases +method DecodeFromBytes_840d9458_PMSCION$L$14$1(data_V0_CN1$in: Slice[Ref], firstLine_V1$in: Int) + returns (firstLine_V1$out: Int) + requires 4 <= (slen(data_V0_CN1$in): Int) && + acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(data_V0_CN1$in, 0, 4), + 0, 4), 1 / 131072) + ensures 4 <= (slen(data_V0_CN1$in): Int) && + acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(data_V0_CN1$in, 0, 4), + 0, 4), 1 / 131072) + + +// decreases +method Unslice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires 0 <= start_V0 && start_V0 <= end_V0 && + end_V0 <= (scap(s_V0): Int) + requires (slen(ssliceFromSlice_Ref(s_V0, start_V0, end_V0)): Int) <= + (scap(s_V0): Int) + requires acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, (slen(ssliceFromSlice_Ref(s_V0, start_V0, end_V0)): Int)), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, start_V0, end_V0), p_V0) + + +// decreases +method DecodeFromBytes_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + data_V0: Slice[Ref], df_V0: Tuple2[Ref, Types]) + returns (res_V0: Tuple2[Ref, Types]) + requires acc(dynamic_pred_3((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + requires acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), write) + requires !(df_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(dynamic_pred_10(df_V0), write) + ensures acc(AbsSlice_Bytes_e630ae22_F(data_V0, 0, (slen(data_V0): Int)), write) + ensures !(df_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(dynamic_pred_10(df_V0), write) + ensures res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + data_V0), write) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(dynamic_pred_3((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) +{ + inhale res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl s_V0_CN0: *SCION_840d9458_T@°°, data_V0_CN1: []byte@°°, df_V0_CN2: DecodeFeedback_b41831d7_T°°, res_V0_CN3: error_a4af0e5e_T°° + var res_V0_CN3: Tuple2[Ref, Types] + var df_V0_CN2: Tuple2[Ref, Types] + var data_V0_CN1: Slice[Ref] + var s_V0_CN0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + + + + // init s_V0_CN0 + inhale s_V0_CN0 == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$() + + // init data_V0_CN1 + inhale data_V0_CN1 == sliceDefault_Intbyte$$$_S_$$$() + + // init df_V0_CN2 + inhale df_V0_CN2 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // init res_V0_CN3 + inhale res_V0_CN3 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // s_V0_CN0 = s_V0 + s_V0_CN0 := s_V0 + + // data_V0_CN1 = data_V0 + data_V0_CN1 := data_V0 + + // df_V0_CN2 = df_V0 + df_V0_CN2 := df_V0 + + // decl firstLine_V1: uint32°°, addrHdrLen_V1: int°°, offset_V1: int°°, err_V1: error_a4af0e5e_T°°, hdrBytes_V1: int°°, pathLen_V1: int°°, N18: Path_a6ceb89d_T°°, N19: error_a4af0e5e_T°°, N20: error_a4af0e5e_T°° + var N20: Tuple2[Ref, Types] + var N19: Tuple2[Ref, Types] + var N18: Tuple2[Ref, Types] + var pathLen_V1: Int + var hdrBytes_V1: Int + var err_V1: Tuple2[Ref, Types] + var offset_V1: Int + var addrHdrLen_V1: Int + var firstLine_V1: Int + + // if(len(data_V0_CN1) < 12) {...} else {...} + if ((slen(data_V0_CN1): Int) < 12) { + + // decl N4: []interface{ name is empty_interface }@°°, N5: error_a4af0e5e_T°° + var N5: Tuple2[Ref, Types] + var N4: Slice[Ref] + + // df_V0_CN2SetTruncated() + SetTruncated_b41831d7_SY$9127f611_b41831d7_(df_V0_CN2) + + // N4 = new([]interface{ name is empty_interface }@ { 0:toInterface("min"), 1:toInterface(12), 2:toInterface("actual"), 3:toInterface(len(data_V0_CN1)) }) + var fn$$0: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$2: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$3: Emb_4_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$1: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + fn$$1): Ref) } + 0 <= fn$$1 && fn$$1 < 4 ==> + acc((ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + fn$$1): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$0 == + box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_4_Interfaceempty_interface$$$_S_$$$())) + fn$$2 := fn$$0 + fn$$3 := box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit6d696e()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(12): Ref), integer_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly(stringLit61637475616c()): Ref), string_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly((slen(data_V0_CN1): Int)): Ref), integer_Types()): Tuple2[Ref, Types]))) + inhale (forall fn$$4: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$2), + fn$$4): Ref) } + { unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$3)[fn$$4] } + 0 <= fn$$4 && fn$$4 < 4 ==> + (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$2), + fn$$4): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$3)[fn$$4]) + N4 := ssliceFromArray_Ref(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + 0, 4) + + // N5 = New_bfd5223e_F("packet is shorter than the common header length", N4) + N5 := New_bfd5223e_F(stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468(), + N4) + + // res_V0_CN3 = N5 + res_V0_CN3 := N5 + + // return + goto returnLabel + } + + // SplitRange_Bytes_e630ae22_F(data_V0_CN1, 0, 4, perm(1/131072)) + SplitRange_Bytes_e630ae22_F(data_V0_CN1, 0, 4, 1 / 131072) + + // +// requires 4 <= len(data_V0_CN1) && acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1[0:4], 0, 4), perm(1/131072)) +// ensures 4 <= len(data_V0_CN1) && acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1[0:4], 0, 4), perm(1/131072)) +// decreases +// outline + firstLine_V1 := DecodeFromBytes_840d9458_PMSCION$L$14$1(data_V0_CN1, firstLine_V1) + + // CombineRange_Bytes_e630ae22_F(data_V0_CN1, 0, 4, perm(1/131072)) + CombineRange_Bytes_e630ae22_F(data_V0_CN1, 0, 4, 1 / 131072) + + // unfold acc(s_V0_CN0.NonInitMem()) + unfold acc(dynamic_pred_3((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + + // *s_V0_CN0.VersionA = uint8°(firstLine_V1 >> 28) + (ShStructget1of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ := intShiftRight(firstLine_V1, + 28) + + // *s_V0_CN0.TrafficClassA = uint8°(firstLine_V1 >> 20 & 0xff) + (ShStructget2of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ := intBitwiseAnd(intShiftRight(firstLine_V1, + 20), 255) + + // *s_V0_CN0.FlowIDA = firstLine_V1 & 0xfffff + (ShStructget3of17(s_V0_CN0): Ref).Intuint32$$$$_E_$$$ := intBitwiseAnd(firstLine_V1, + 1048575) + + // +// requires acc(*s_V0_CN0.NextHdrA) && acc(*s_V0_CN0.HdrLenA) && acc(*s_V0_CN0.PayloadLenA) && acc(*s_V0_CN0.PathTypeA) +// requires acc(*s_V0_CN0.DstAddrTypeA) && acc(*s_V0_CN0.SrcAddrTypeA) +// requires 12 <= len(data_V0_CN1) && acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1, 0, len(data_V0_CN1)), perm(1/131072)) +// ensures acc(*s_V0_CN0.NextHdrA) && acc(*s_V0_CN0.HdrLenA) && acc(*s_V0_CN0.PayloadLenA) && acc(*s_V0_CN0.PathTypeA) +// ensures acc(*s_V0_CN0.DstAddrTypeA) && acc(*s_V0_CN0.SrcAddrTypeA) +// ensures 12 <= len(data_V0_CN1) && acc(AbsSlice_Bytes_e630ae22_F(data_V0_CN1, 0, len(data_V0_CN1)), perm(1/131072)) +// ensures *s_V0_CN0.DstAddrTypeA.Has3Bits() && *s_V0_CN0.SrcAddrTypeA.Has3Bits() +// ensures 0 <= *s_V0_CN0.PathTypeA && *s_V0_CN0.PathTypeA < 256 +// decreases +// outline + DecodeFromBytes_840d9458_PMSCION$L$26$1(data_V0_CN1, s_V0_CN0) + + // SplitByIndex_Bytes_e630ae22_F(data_V0_CN1, 0, len(data_V0_CN1), 12, perm(1/128)) + SplitByIndex_Bytes_e630ae22_F(data_V0_CN1, 0, (slen(data_V0_CN1): Int), 12, + 1 / 128) + + // Reslice_Bytes_e630ae22_F(data_V0_CN1, 12, len(data_V0_CN1), perm(1/128)) + Reslice_Bytes_e630ae22_F(data_V0_CN1, 12, (slen(data_V0_CN1): Int), 1 / + 128) + + // decl N12: error_a4af0e5e_T°°, err_V2: error_a4af0e5e_T°° + var err_V2: Tuple2[Ref, Types] + var N12: Tuple2[Ref, Types] + + // N12 = s_V0_CN0DecodeAddrHdr(data_V0_CN1[12:len(data_V0_CN1)]) + N12 := DecodeAddrHdr_840d9458_PMSCION(s_V0_CN0, ssliceFromSlice_Ref(data_V0_CN1, + 12, (slen(data_V0_CN1): Int))) + + // init err_V2 + inhale err_V2 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // err_V2 = N12 + err_V2 := N12 + + // if(err_V2 != (nil:error_a4af0e5e_T°)) {...} else {...} + if (!(err_V2 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) { + + // decl + + // fold acc(s_V0_CN0.NonInitMem()) + fold acc(dynamic_pred_3((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + + // Unslice_Bytes_e630ae22_F(data_V0_CN1, 12, len(data_V0_CN1), perm(1/128)) + Unslice_Bytes_e630ae22_F(data_V0_CN1, 12, (slen(data_V0_CN1): Int), 1 / + 128) + + // CombineAtIndex_Bytes_e630ae22_F(data_V0_CN1, 0, len(data_V0_CN1), 12, perm(1/128)) + CombineAtIndex_Bytes_e630ae22_F(data_V0_CN1, 0, (slen(data_V0_CN1): Int), + 12, 1 / 128) + + // df_V0_CN2SetTruncated() + SetTruncated_b41831d7_SY$9127f611_b41831d7_(df_V0_CN2) + + // res_V0_CN3 = err_V2 + res_V0_CN3 := err_V2 + + // return + goto returnLabel + } + + // Unslice_Bytes_e630ae22_F(data_V0_CN1, 12, len(data_V0_CN1), perm(1/128)) + Unslice_Bytes_e630ae22_F(data_V0_CN1, 12, (slen(data_V0_CN1): Int), 1 / + 128) + + // CombineAtIndex_Bytes_e630ae22_F(data_V0_CN1, 0, len(data_V0_CN1), 12, perm(1/128)) + CombineAtIndex_Bytes_e630ae22_F(data_V0_CN1, 0, (slen(data_V0_CN1): Int), + 12, 1 / 128) + + // init addrHdrLen_V1 + inhale addrHdrLen_V1 == 0 + + // addrHdrLen_V1 = s_V0_CN0.AddrHdrLen((nil:[]byte@°), true) + addrHdrLen_V1 := AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), + true) + + // init offset_V1 + inhale offset_V1 == 0 + + // offset_V1 = 12 + addrHdrLen_V1 + offset_V1 := 12 + addrHdrLen_V1 + + // init err_V1 + inhale err_V1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // err_V1 = dflt[error_a4af0e5e_T°] + err_V1 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // init hdrBytes_V1 + inhale hdrBytes_V1 == 0 + + // hdrBytes_V1 = int°(*s_V0_CN0.HdrLenA) * 4 + hdrBytes_V1 := (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4 + + // init pathLen_V1 + inhale pathLen_V1 == 0 + + // pathLen_V1 = hdrBytes_V1 - 12 - addrHdrLen_V1 + pathLen_V1 := hdrBytes_V1 - 12 - addrHdrLen_V1 + + // if(pathLen_V1 < 0) {...} else {...} + if (pathLen_V1 < 0) { + + // decl N14: []interface{ name is empty_interface }@°°, N15: error_a4af0e5e_T°° + var N15: Tuple2[Ref, Types] + var N14: Slice[Ref] + + // unfold acc(s_V0_CN0.HeaderMem(data_V0_CN1[12:len(data_V0_CN1)])) + unfold acc(HeaderMem_840d9458_PMSCION(s_V0_CN0, ssliceFromSlice_Ref(data_V0_CN1, + 12, (slen(data_V0_CN1): Int))), write) + + // fold acc(s_V0_CN0.NonInitMem()) + fold acc(dynamic_pred_3((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + + // N14 = new([]interface{ name is empty_interface }@ { 0:toInterface("hdrBytes"), 5:toInterface(12), 1:toInterface(hdrBytes_V1), 2:toInterface("addrHdrLen"), 3:toInterface(addrHdrLen_V1), 4:toInterface("CmdHdrLen") }) + var fn$$5: Emb_6_Interfaceempty_interface$$$_S_$$$ + var fn$$7: Emb_6_Interfaceempty_interface$$$_S_$$$ + var fn$$8: Emb_6_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$6: Int :: + { (ShArrayloc(unbox_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$5), + fn$$6): Ref) } + 0 <= fn$$6 && fn$$6 < 6 ==> + acc((ShArrayloc(unbox_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$5), + fn$$6): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$5 == + box_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_6_Interfaceempty_interface$$$_S_$$$())) + fn$$7 := fn$$5 + fn$$8 := box_Emb_6_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit6864724279746573()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(hdrBytes_V1): Ref), + int_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(stringLit616464724864724c656e()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(addrHdrLen_V1): Ref), + int_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(stringLit436d644864724c656e()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(12): Ref), integer_Types()): Tuple2[Ref, Types]))) + inhale (forall fn$$9: Int :: + { (ShArrayloc(unbox_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$7), + fn$$9): Ref) } + { unbox_Emb_6_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$8)[fn$$9] } + 0 <= fn$$9 && fn$$9 < 6 ==> + (ShArrayloc(unbox_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$7), + fn$$9): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_6_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$8)[fn$$9]) + N14 := ssliceFromArray_Ref(unbox_Emb_6_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$5), + 0, 6) + + // N15 = New_bfd5223e_F("invalid header, negative pathLen", N14) + N15 := New_bfd5223e_F(stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e(), + N14) + + // res_V0_CN3 = N15 + res_V0_CN3 := N15 + + // return + goto returnLabel + } + + // decl minLen_V3: int°° + var minLen_V3: Int + + // init minLen_V3 + inhale minLen_V3 == 0 + + // minLen_V3 = offset_V1 + pathLen_V1 + minLen_V3 := offset_V1 + pathLen_V1 + + // if(len(data_V0_CN1) < minLen_V3) {...} else {...} + if ((slen(data_V0_CN1): Int) < minLen_V3) { + + // decl N16: []interface{ name is empty_interface }@°°, N17: error_a4af0e5e_T°° + var N17: Tuple2[Ref, Types] + var N16: Slice[Ref] + + // df_V0_CN2SetTruncated() + SetTruncated_b41831d7_SY$9127f611_b41831d7_(df_V0_CN2) + + // unfold acc(s_V0_CN0.HeaderMem(data_V0_CN1[12:len(data_V0_CN1)])) + unfold acc(HeaderMem_840d9458_PMSCION(s_V0_CN0, ssliceFromSlice_Ref(data_V0_CN1, + 12, (slen(data_V0_CN1): Int))), write) + + // fold acc(s_V0_CN0.NonInitMem()) + fold acc(dynamic_pred_3((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + + // N16 = new([]interface{ name is empty_interface }@ { 0:toInterface("expected"), 1:toInterface(minLen_V3), 2:toInterface("actual"), 3:toInterface(len(data_V0_CN1)) }) + var fn$$10: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$12: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$13: Emb_4_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$11: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$10), + fn$$11): Ref) } + 0 <= fn$$11 && fn$$11 < 4 ==> + acc((ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$10), + fn$$11): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$10 == + box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_4_Interfaceempty_interface$$$_S_$$$())) + fn$$12 := fn$$10 + fn$$13 := box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit6578706563746564()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(minLen_V3): Ref), + int_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(stringLit61637475616c()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly((slen(data_V0_CN1): Int)): Ref), + integer_Types()): Tuple2[Ref, Types]))) + inhale (forall fn$$14: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$12), + fn$$14): Ref) } + { unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$13)[fn$$14] } + 0 <= fn$$14 && fn$$14 < 4 ==> + (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$12), + fn$$14): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$13)[fn$$14]) + N16 := ssliceFromArray_Ref(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$10), + 0, 4) + + // N17 = New_bfd5223e_F("provided buffer is too small", N16) + N17 := New_bfd5223e_F(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(), + N16) + + // res_V0_CN3 = N17 + res_V0_CN3 := N17 + + // return + goto returnLabel + } + + // assert unfolding acc(PathPoolMem_840d9458_F(*s_V0_CN0.pathPoolA, *s_V0_CN0.pathPoolRawA)) in *s_V0_CN0.pathPoolA == (nil:[]Path_a6ceb89d_T@°) == *s_V0_CN0.pathPoolRawA == (nil:Path_a6ceb89d_T°) + assert (unfolding acc(PathPoolMem_840d9458_F((ShStructget15of17(s_V0_CN0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write) in + ((ShStructget15of17(s_V0_CN0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) == + ((ShStructget16of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) + + // N18, N19 = s_V0_CN0getPath(*s_V0_CN0.PathTypeA) + N18, N19 := getPath_840d9458_PMSCION(s_V0_CN0, (ShStructget7of17(s_V0_CN0): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$) + + // *s_V0_CN0.PathA = N18 + (ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ := N18 + + // err_V1 = N19 + err_V1 := N19 + + // if(err_V1 != (nil:error_a4af0e5e_T°)) {...} else {...} + if (!(err_V1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) { + + // decl + + // unfold acc(s_V0_CN0.HeaderMem(data_V0_CN1[12:len(data_V0_CN1)])) + unfold acc(HeaderMem_840d9458_PMSCION(s_V0_CN0, ssliceFromSlice_Ref(data_V0_CN1, + 12, (slen(data_V0_CN1): Int))), write) + + // fold acc(s_V0_CN0.NonInitMem()) + fold acc(dynamic_pred_3((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + + // res_V0_CN3 = err_V1 + res_V0_CN3 := err_V1 + + // return + goto returnLabel + } + + // SplitRange_Bytes_e630ae22_F(data_V0_CN1, offset_V1, offset_V1 + pathLen_V1, write) + SplitRange_Bytes_e630ae22_F(data_V0_CN1, offset_V1, offset_V1 + + pathLen_V1, write) + + // N20 = *s_V0_CN0.PathADecodeFromBytes(data_V0_CN1[offset_V1:offset_V1 + pathLen_V1]) + N20 := DecodeFromBytes_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(data_V0_CN1, offset_V1, offset_V1 + pathLen_V1)) + + // err_V1 = N20 + err_V1 := N20 + + // if(err_V1 != (nil:error_a4af0e5e_T°)) {...} else {...} + if (!(err_V1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) { + + // decl + + // CombineRange_Bytes_e630ae22_F(data_V0_CN1, offset_V1, offset_V1 + pathLen_V1, write) + CombineRange_Bytes_e630ae22_F(data_V0_CN1, offset_V1, offset_V1 + + pathLen_V1, write) + + // unfold acc(s_V0_CN0.HeaderMem(data_V0_CN1[12:len(data_V0_CN1)])) + unfold acc(HeaderMem_840d9458_PMSCION(s_V0_CN0, ssliceFromSlice_Ref(data_V0_CN1, + 12, (slen(data_V0_CN1): Int))), write) + + // s_V0_CN0PathPoolMemExchange(*s_V0_CN0.PathTypeA, *s_V0_CN0.PathA) + PathPoolMemExchange_840d9458_PMSCION(s_V0_CN0, (ShStructget7of17(s_V0_CN0): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, + (ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) + + // fold acc(s_V0_CN0.NonInitMem()) + fold acc(dynamic_pred_3((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types])), write) + + // res_V0_CN3 = err_V1 + res_V0_CN3 := err_V1 + + // return + goto returnLabel + } + + // if(typeOf(*s_V0_CN0.PathA) == *Path_c385169_T) {...} else {...} + if (typeOfInterface_Y$558431e4_a6ceb89d_((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types())) { + + // decl N22: bool°° + var N22: Bool + + // N22 = *s_V0_CN0.PathA.(*Path_c385169_T@°).InferSizeUb(data_V0_CN1[offset_V1:offset_V1 + pathLen_V1]) + N22 := InferSizeUb_c385169_PMPath(assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), + pointer_Types(Path_c385169_T_Types())), (unbox_Poly((get0of2((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])), + ssliceFromSlice_Ref(data_V0_CN1, offset_V1, offset_V1 + pathLen_V1)) + + // assert *s_V0_CN0.PathA.Len(data_V0_CN1[offset_V1:offset_V1 + pathLen_V1]) <= len(data_V0_CN1[offset_V1:offset_V1 + pathLen_V1]) + assert Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(data_V0_CN1, offset_V1, offset_V1 + pathLen_V1)) <= + (slen(ssliceFromSlice_Ref(data_V0_CN1, offset_V1, offset_V1 + + pathLen_V1)): Int) + + // assert 12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true) + *s_V0_CN0.PathA.Len(data_V0_CN1[offset_V1:offset_V1 + pathLen_V1]) <= len(data_V0_CN1) + assert 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), + true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(data_V0_CN1, offset_V1, offset_V1 + pathLen_V1)) <= + (slen(data_V0_CN1): Int) + } + + // *s_V0_CN0.BaseLayerA.ContentsA = data_V0_CN1[0:hdrBytes_V1] + (ShStructget0of2((ShStructget0of17(s_V0_CN0): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ := ssliceFromSlice_Ref(data_V0_CN1, + 0, hdrBytes_V1) + + // *s_V0_CN0.BaseLayerA.PayloadA = data_V0_CN1[hdrBytes_V1:len(data_V0_CN1)] + (ShStructget1of2((ShStructget0of17(s_V0_CN0): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ := ssliceFromSlice_Ref(data_V0_CN1, + hdrBytes_V1, (slen(data_V0_CN1): Int)) + + // CombineRange_Bytes_e630ae22_F(data_V0_CN1, offset_V1, offset_V1 + pathLen_V1, write) + CombineRange_Bytes_e630ae22_F(data_V0_CN1, offset_V1, offset_V1 + + pathLen_V1, write) + + // fold acc(s_V0_CN0.Mem(data_V0_CN1)) + fold acc(dynamic_pred_0((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + data_V0_CN1), write) + + // res_V0_CN3 = (nil:error_a4af0e5e_T°) + res_V0_CN3 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN3 + res_V0 := res_V0_CN3 +} + +// decreases +method SplitByIndex_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + idx_V0: Int, p_V0: Perm) + requires 0 / 1 <= p_V0 + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, start_V0, end_V0), p_V0) + requires start_V0 <= idx_V0 && idx_V0 <= end_V0 + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, start_V0, idx_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, idx_V0, end_V0), p_V0) + + +// decreases +method CombineRange_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires 0 <= start_V0 && start_V0 <= end_V0 && + end_V0 <= (slen(s_V0): Int) + requires acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, end_V0 - start_V0), p_V0) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, start_V0), p_V0) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, end_V0, (slen(s_V0): Int)), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, (slen(s_V0): Int)), p_V0) + + +// decreases +method Reslice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, start_V0, end_V0), p_V0) + requires (unfolding acc(AbsSlice_Bytes_e630ae22_F(s_V0, start_V0, end_V0), p_V0) in + true) + ensures acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, (slen(ssliceFromSlice_Ref(s_V0, start_V0, end_V0)): Int)), p_V0) + + +// decreases +method DecodeFromBytes_a6ceb89d_SY$558431e4_a6ceb89d_(thisItf: Tuple2[Ref, Types], + b_V0: Slice[Ref]) + returns (err_V0: Tuple2[Ref, Types]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_2(thisItf), write) + requires acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), write) + ensures acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), write) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + acc(dynamic_pred_6(thisItf, b_V0), write) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(err_V0), write) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(dynamic_pred_2(thisItf), write) + + +// decreases _ +method New_bfd5223e_F(msg_V0: Int, errCtx_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0) diff --git a/src/test/resources/biabduction/frontends/gobra/scion_SerializeAddrHdr.vpr b/src/test/resources/biabduction/frontends/gobra/scion_SerializeAddrHdr.vpr new file mode 100644 index 00000000..f4bfd623 --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/scion_SerializeAddrHdr.vpr @@ -0,0 +1,3908 @@ +domain ShStruct2[T0, T1] { + + function ShStructget1of2(x: ShStruct2[T0, T1]): T1 + + function ShStructget0of2(x: ShStruct2[T0, T1]): T0 + + function ShStructrev1of2(v1: T1): ShStruct2[T0, T1] + + function ShStructrev0of2(v0: T0): ShStruct2[T0, T1] + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget1of2(x): T1) } + (ShStructrev1of2((ShStructget1of2(x): T1)): ShStruct2[T0, T1]) == x) + } + + axiom { + (forall x: ShStruct2[T0, T1], y: ShStruct2[T0, T1] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of2(x): T0) == (ShStructget0of2(y): T0) && + (ShStructget1of2(x): T1) == (ShStructget1of2(y): T1))) + } + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget0of2(x): T0) } + (ShStructrev0of2((ShStructget0of2(x): T0)): ShStruct2[T0, T1]) == x) + } +} + +domain Types { + + unique function SCMPInternalConnectivityDown_840d9458_T_Types_tag(): Int + + function slice_Types(p0: Types): Types + + function SCMPExternalInterfaceDown_840d9458_T_Types(): Types + + function integer_Types(): Types + + unique function slice_Types_tag(): Int + + unique function Payload_b41831d7_T_Types_tag(): Int + + unique function SCMPPacketTooBig_840d9458_T_Types_tag(): Int + + function Y$6914870a_b41831d7__Types(): Types + + function BFD_6416454f_T_Types(): Types + + unique function Y$558431e4_a6ceb89d__Types_tag(): Int + + function SCION_840d9458_T_Types(): Types + + function SCMPTraceroute_840d9458_T_Types(): Types + + function AddrType_840d9458_T_Types(): Types + + unique function Y$c2e55be_72f0d887__Types_tag(): Int + + function Y$60c7bddc_b41831d7__Types(): Types + + function HostIPv4_cd675838_T_Types(): Types + + function Y$c2e55be_72f0d887__Types(): Types + + unique function Raw_daeaf66a_T_Types_tag(): Int + + function Y$35202e5_cd675838__Types(): Types + + function Y$49c4c25f_d3743b4f__Types(): Types + + unique function int_Types_tag(): Int + + unique function Y$9127f611_b41831d7__Types_tag(): Int + + unique function empty_interface_Types_tag(): Int + + function SCMPCode_840d9458_T_Types(): Types + + unique function Decoded_daeaf66a_T_Types_tag(): Int + + function pointer_Types(p0: Types): Types + + unique function Y$b28ae4_ac87dd1d__Types_tag(): Int + + unique function Y$35202e5_cd675838__Types_tag(): Int + + function Y$558431e4_a6ceb89d__Types(): Types + + function tag_Types(t: Types): Int + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + unique function L4ProtocolType_840d9458_T_Types_tag(): Int + + function littleEndian_72f0d887_T_Types(): Types + + unique function AddrType_840d9458_T_Types_tag(): Int + + unique function HostNone_cd675838_T_Types_tag(): Int + + unique function byte_Types_tag(): Int + + unique function Y$49c4c25f_d3743b4f__Types_tag(): Int + + function Y$9127f611_b41831d7__Types(): Types + + function EndToEndExtn_840d9458_T_Types(): Types + + unique function SCMPTraceroute_840d9458_T_Types_tag(): Int + + function empty_interface_Types(): Types + + unique function UDPAddr_5c610647_T_Types_tag(): Int + + unique function bigEndian_72f0d887_T_Types_tag(): Int + + unique function nilDecodeFeedback_b41831d7_T_Types_tag(): Int + + function Y$3191b69e_b41831d7__Types(): Types + + unique function HopByHopExtn_840d9458_T_Types_tag(): Int + + unique function Path_c385169_T_Types_tag(): Int + + unique function SCMP_840d9458_T_Types_tag(): Int + + unique function Y$17800ab4_b41831d7__Types_tag(): Int + + function Y$8f734176_14a7fb6d__Types(): Types + + unique function AS_cd675838_T_Types_tag(): Int + + function HostNone_cd675838_T_Types(): Types + + function Path_c6e60a1d_T_Types(): Types + + function AS_cd675838_T_Types(): Types + + function SCMPTypeCode_840d9458_T_Types(): Types + + unique function Path_4cddb96f_T_Types_tag(): Int + + function rawPath_a6ceb89d_T_Types(): Types + + function HopByHopExtn_840d9458_T_Types(): Types + + unique function Y$9c78df5f_b41831d7__Types_tag(): Int + + function SCMPDestinationUnreachable_840d9458_T_Types(): Types + + function nilDecodeFeedback_b41831d7_T_Types(): Types + + unique function rawPath_a6ceb89d_T_Types_tag(): Int + + unique function Y$68d3cee9_b41831d7__Types_tag(): Int + + function int_Types(): Types + + function nil_Types(): Types + + unique function SCMPExternalInterfaceDown_840d9458_T_Types_tag(): Int + + unique function BFD_6416454f_T_Types_tag(): Int + + function UDPAddr_5c610647_T_Types(): Types + + unique function HostSVC_cd675838_T_Types_tag(): Int + + function uint16_Types(): Types + + function SCMPPacketTooBig_840d9458_T_Types(): Types + + function IPAddr_5c610647_T_Types(): Types + + function Y$68d3cee9_b41831d7__Types(): Types + + unique function Y$8f734176_14a7fb6d__Types_tag(): Int + + function Path_4cddb96f_T_Types(): Types + + function Y$febd64e7_b41831d7__Types(): Types + + unique function SCMPType_840d9458_T_Types_tag(): Int + + unique function string_Types_tag(): Int + + unique function SCMPTypeCode_840d9458_T_Types_tag(): Int + + function Y$9c78df5f_b41831d7__Types(): Types + + function bigEndian_72f0d887_T_Types(): Types + + unique function Y$53a71dc3_5c610647__Types_tag(): Int + + unique function IPAddr_5c610647_T_Types_tag(): Int + + unique function HopByHopExtnSkipper_840d9458_T_Types_tag(): Int + + function HopByHopExtnSkipper_840d9458_T_Types(): Types + + unique function SCMPEcho_840d9458_T_Types_tag(): Int + + function HostSVC_cd675838_T_Types(): Types + + unique function integer_Types_tag(): Int + + function Y$17800ab4_b41831d7__Types(): Types + + unique function littleEndian_72f0d887_T_Types_tag(): Int + + function SCMPInternalConnectivityDown_840d9458_T_Types(): Types + + function Decoded_daeaf66a_T_Types(): Types + + function SCMPType_840d9458_T_Types(): Types + + unique function Y$6914870a_b41831d7__Types_tag(): Int + + function byte_Types(): Types + + unique function Y$60c7bddc_b41831d7__Types_tag(): Int + + function Payload_b41831d7_T_Types(): Types + + function Path_c385169_T_Types(): Types + + function SCMPParameterProblem_840d9458_T_Types(): Types + + function Y$b28ae4_ac87dd1d__Types(): Types + + unique function HostIPv6_cd675838_T_Types_tag(): Int + + unique function SCION_840d9458_T_Types_tag(): Int + + function SCMPEcho_840d9458_T_Types(): Types + + unique function Y$febd64e7_b41831d7__Types_tag(): Int + + function EndToEndExtnSkipper_840d9458_T_Types(): Types + + unique function HostIPv4_cd675838_T_Types_tag(): Int + + unique function nil_Types_tag(): Int + + function L4ProtocolType_840d9458_T_Types(): Types + + unique function Y$3191b69e_b41831d7__Types_tag(): Int + + unique function EndToEndExtnSkipper_840d9458_T_Types_tag(): Int + + function IA_cd675838_T_Types(): Types + + unique function IA_cd675838_T_Types_tag(): Int + + unique function LayerType_b41831d7_T_Types_tag(): Int + + function get_0_pointer_Types(t: Types): Types + + unique function Path_c6e60a1d_T_Types_tag(): Int + + function Raw_daeaf66a_T_Types(): Types + + unique function SCMPCode_840d9458_T_Types_tag(): Int + + unique function pointer_Types_tag(): Int + + function Y$53a71dc3_5c610647__Types(): Types + + unique function SCMPDestinationUnreachable_840d9458_T_Types_tag(): Int + + function SCMP_840d9458_T_Types(): Types + + function HostIPv6_cd675838_T_Types(): Types + + function LayerType_b41831d7_T_Types(): Types + + unique function uint16_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + unique function EndToEndExtn_840d9458_T_Types_tag(): Int + + unique function SCMPParameterProblem_840d9458_T_Types_tag(): Int + + function string_Types(): Types + + axiom { + comparableType_Types(SCION_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPPacketTooBig_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$9c78df5f_b41831d7__Types()) == false + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + tag_Types(Y$c2e55be_72f0d887__Types()) == + Y$c2e55be_72f0d887__Types_tag() + } + + axiom { + comparableType_Types(Y$b28ae4_ac87dd1d__Types()) == false + } + + axiom { + (forall p0: Types :: + { comparableType_Types(slice_Types(p0)) } + comparableType_Types(slice_Types(p0)) == false) + } + + axiom { + comparableType_Types(IA_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(Y$35202e5_cd675838__Types()) == false + } + + axiom { + comparableType_Types(Raw_daeaf66a_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(int_Types()) == int_Types_tag() + } + + axiom { + comparableType_Types(SCMPEcho_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Payload_b41831d7_T_Types()) == false + } + + axiom { + tag_Types(AS_cd675838_T_Types()) == AS_cd675838_T_Types_tag() + } + + axiom { + tag_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + SCMPExternalInterfaceDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$49c4c25f_d3743b4f__Types()) == + Y$49c4c25f_d3743b4f__Types_tag() + } + + axiom { + comparableType_Types(HostSVC_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(SCMPParameterProblem_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPType_840d9458_T_Types()) == + SCMPType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$b28ae4_ac87dd1d__Types()) == Y$b28ae4_ac87dd1d__Types_tag() + } + + axiom { + comparableType_Types(Path_c385169_T_Types()) == true + } + + axiom { + comparableType_Types(Y$53a71dc3_5c610647__Types()) == false + } + + axiom { + comparableType_Types(Path_4cddb96f_T_Types()) == true + } + + axiom { + comparableType_Types(UDPAddr_5c610647_T_Types()) == true + } + + axiom { + tag_Types(IA_cd675838_T_Types()) == IA_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(Y$9127f611_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(EndToEndExtn_840d9458_T_Types()) == true + } + + axiom { + tag_Types(nilDecodeFeedback_b41831d7_T_Types()) == + nilDecodeFeedback_b41831d7_T_Types_tag() + } + + axiom { + comparableType_Types(Y$3191b69e_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(AddrType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$3191b69e_b41831d7__Types()) == + Y$3191b69e_b41831d7__Types_tag() + } + + axiom { + tag_Types(HopByHopExtn_840d9458_T_Types()) == + HopByHopExtn_840d9458_T_Types_tag() + } + + axiom { + tag_Types(BFD_6416454f_T_Types()) == BFD_6416454f_T_Types_tag() + } + + axiom { + comparableType_Types(Y$febd64e7_b41831d7__Types()) == false + } + + axiom { + tag_Types(HopByHopExtnSkipper_840d9458_T_Types()) == + HopByHopExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + tag_Types(HostIPv6_cd675838_T_Types()) == + HostIPv6_cd675838_T_Types_tag() + } + + axiom { + tag_Types(Y$558431e4_a6ceb89d__Types()) == + Y$558431e4_a6ceb89d__Types_tag() + } + + axiom { + comparableType_Types(Y$68d3cee9_b41831d7__Types()) == false + } + + axiom { + tag_Types(uint16_Types()) == uint16_Types_tag() + } + + axiom { + comparableType_Types(SCMPTypeCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPTraceroute_840d9458_T_Types()) == + SCMPTraceroute_840d9458_T_Types_tag() + } + + axiom { + tag_Types(littleEndian_72f0d887_T_Types()) == + littleEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(Y$8f734176_14a7fb6d__Types()) == false + } + + axiom { + comparableType_Types(string_Types()) == true + } + + axiom { + tag_Types(Y$9127f611_b41831d7__Types()) == + Y$9127f611_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$febd64e7_b41831d7__Types()) == + Y$febd64e7_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$60c7bddc_b41831d7__Types()) == + Y$60c7bddc_b41831d7__Types_tag() + } + + axiom { + tag_Types(EndToEndExtn_840d9458_T_Types()) == + EndToEndExtn_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Payload_b41831d7_T_Types()) == Payload_b41831d7_T_Types_tag() + } + + axiom { + comparableType_Types(Y$558431e4_a6ceb89d__Types()) == false + } + + axiom { + comparableType_Types(HopByHopExtn_840d9458_T_Types()) == true + } + + axiom { + tag_Types(HostNone_cd675838_T_Types()) == + HostNone_cd675838_T_Types_tag() + } + + axiom { + (forall x0: Types :: + { pointer_Types(x0) } + get_0_pointer_Types(pointer_Types(x0)) == x0) + } + + axiom { + tag_Types(Y$9c78df5f_b41831d7__Types()) == + Y$9c78df5f_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(SCMPCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Decoded_daeaf66a_T_Types()) == Decoded_daeaf66a_T_Types_tag() + } + + axiom { + comparableType_Types(Y$17800ab4_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(integer_Types()) == true + } + + axiom { + tag_Types(Y$6914870a_b41831d7__Types()) == + Y$6914870a_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(Y$c2e55be_72f0d887__Types()) == false + } + + axiom { + comparableType_Types(AS_cd675838_T_Types()) == true + } + + axiom { + tag_Types(SCMPPacketTooBig_840d9458_T_Types()) == + SCMPPacketTooBig_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(int_Types()) == true + } + + axiom { + tag_Types(SCMPTypeCode_840d9458_T_Types()) == + SCMPTypeCode_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(LayerType_b41831d7_T_Types()) == true + } + + axiom { + comparableType_Types(uint16_Types()) == true + } + + axiom { + comparableType_Types(littleEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(nilDecodeFeedback_b41831d7_T_Types()) == true + } + + axiom { + tag_Types(rawPath_a6ceb89d_T_Types()) == rawPath_a6ceb89d_T_Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + tag_Types(Y$35202e5_cd675838__Types()) == + Y$35202e5_cd675838__Types_tag() + } + + axiom { + tag_Types(SCMPCode_840d9458_T_Types()) == + SCMPCode_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(byte_Types()) == true + } + + axiom { + (forall p0: Types :: + { comparableType_Types(pointer_Types(p0)) } + comparableType_Types(pointer_Types(p0)) == true) + } + + axiom { + comparableType_Types(Y$49c4c25f_d3743b4f__Types()) == false + } + + axiom { + comparableType_Types(rawPath_a6ceb89d_T_Types()) == true + } + + axiom { + tag_Types(Path_4cddb96f_T_Types()) == Path_4cddb96f_T_Types_tag() + } + + axiom { + tag_Types(IPAddr_5c610647_T_Types()) == IPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(EndToEndExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { slice_Types(p0) } + tag_Types(slice_Types(p0)) == slice_Types_tag()) + } + + axiom { + tag_Types(Path_c385169_T_Types()) == Path_c385169_T_Types_tag() + } + + axiom { + comparableType_Types(Path_c6e60a1d_T_Types()) == true + } + + axiom { + comparableType_Types(IPAddr_5c610647_T_Types()) == true + } + + axiom { + comparableType_Types(HostIPv6_cd675838_T_Types()) == false + } + + axiom { + tag_Types(L4ProtocolType_840d9458_T_Types()) == + L4ProtocolType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$17800ab4_b41831d7__Types()) == + Y$17800ab4_b41831d7__Types_tag() + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + tag_Types(AddrType_840d9458_T_Types()) == + AddrType_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Decoded_daeaf66a_T_Types()) == true + } + + axiom { + tag_Types(integer_Types()) == integer_Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + comparableType_Types(HopByHopExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPParameterProblem_840d9458_T_Types()) == + SCMPParameterProblem_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$6914870a_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(SCMP_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(L4ProtocolType_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPTraceroute_840d9458_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { pointer_Types(p0) } + tag_Types(pointer_Types(p0)) == pointer_Types_tag()) + } + + axiom { + comparableType_Types(HostIPv4_cd675838_T_Types()) == false + } + + axiom { + tag_Types(HostSVC_cd675838_T_Types()) == HostSVC_cd675838_T_Types_tag() + } + + axiom { + tag_Types(LayerType_b41831d7_T_Types()) == + LayerType_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(Y$68d3cee9_b41831d7__Types()) == + Y$68d3cee9_b41831d7__Types_tag() + } + + axiom { + tag_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + SCMPInternalConnectivityDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCION_840d9458_T_Types()) == SCION_840d9458_T_Types_tag() + } + + axiom { + tag_Types(bigEndian_72f0d887_T_Types()) == + bigEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(HostNone_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + tag_Types(string_Types()) == string_Types_tag() + } + + axiom { + tag_Types(byte_Types()) == byte_Types_tag() + } + + axiom { + tag_Types(Y$8f734176_14a7fb6d__Types()) == + Y$8f734176_14a7fb6d__Types_tag() + } + + axiom { + tag_Types(Raw_daeaf66a_T_Types()) == Raw_daeaf66a_T_Types_tag() + } + + axiom { + comparableType_Types(bigEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(Y$53a71dc3_5c610647__Types()) == + Y$53a71dc3_5c610647__Types_tag() + } + + axiom { + comparableType_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(SCMP_840d9458_T_Types()) == SCMP_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + SCMPDestinationUnreachable_840d9458_T_Types_tag() + } + + axiom { + tag_Types(EndToEndExtnSkipper_840d9458_T_Types()) == + EndToEndExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(BFD_6416454f_T_Types()) == true + } + + axiom { + tag_Types(SCMPEcho_840d9458_T_Types()) == + SCMPEcho_840d9458_T_Types_tag() + } + + axiom { + tag_Types(UDPAddr_5c610647_T_Types()) == UDPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(Y$60c7bddc_b41831d7__Types()) == false + } + + axiom { + tag_Types(Path_c6e60a1d_T_Types()) == Path_c6e60a1d_T_Types_tag() + } + + axiom { + tag_Types(HostIPv4_cd675838_T_Types()) == + HostIPv4_cd675838_T_Types_tag() + } +} + +domain ShStruct0 { + + axiom { + (forall x: ShStruct0, y: ShStruct0 :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == true) + } +} + +domain Emb_4_Interfaceempty_interface$$$$_E_$$$ { + + +} + +domain ShStruct1[T0] { + + function ShStructget0of1(x: ShStruct1[T0]): T0 + + function ShStructrev0of1(v0: T0): ShStruct1[T0] + + axiom { + (forall x: ShStruct1[T0] :: + { (ShStructget0of1(x): T0) } + (ShStructrev0of1((ShStructget0of1(x): T0)): ShStruct1[T0]) == x) + } + + axiom { + (forall x: ShStruct1[T0], y: ShStruct1[T0] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of1(x): T0) == (ShStructget0of1(y): T0))) + } +} + +domain ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] { + + function ShStructget4of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T4 + + function ShStructget10of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T10 + + function ShStructrev4of17(v4: T4): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev10of17(v10: T10): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev13of17(v13: T13): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget5of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T5 + + function ShStructrev0of17(v0: T0): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev2of17(v2: T2): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev1of17(v1: T1): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget6of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T6 + + function ShStructrev15of17(v15: T15): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget7of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T7 + + function ShStructrev14of17(v14: T14): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget8of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T8 + + function ShStructrev7of17(v7: T7): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget2of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T2 + + function ShStructget11of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T11 + + function ShStructrev12of17(v12: T12): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev11of17(v11: T11): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget3of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T3 + + function ShStructrev9of17(v9: T9): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev8of17(v8: T8): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev3of17(v3: T3): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev5of17(v5: T5): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget16of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T16 + + function ShStructget14of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T14 + + function ShStructget13of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T13 + + function ShStructrev16of17(v16: T16): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev6of17(v6: T6): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget9of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T9 + + function ShStructget12of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T12 + + function ShStructget0of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T0 + + function ShStructget1of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T1 + + function ShStructget15of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T15 + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget10of17(x): T10) } + (ShStructrev10of17((ShStructget10of17(x): T10)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget1of17(x): T1) } + (ShStructrev1of17((ShStructget1of17(x): T1)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget2of17(x): T2) } + (ShStructrev2of17((ShStructget2of17(x): T2)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget16of17(x): T16) } + (ShStructrev16of17((ShStructget16of17(x): T16)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget8of17(x): T8) } + (ShStructrev8of17((ShStructget8of17(x): T8)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget3of17(x): T3) } + (ShStructrev3of17((ShStructget3of17(x): T3)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget12of17(x): T12) } + (ShStructrev12of17((ShStructget12of17(x): T12)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget7of17(x): T7) } + (ShStructrev7of17((ShStructget7of17(x): T7)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget11of17(x): T11) } + (ShStructrev11of17((ShStructget11of17(x): T11)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16], + y: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of17(x): T0) == (ShStructget0of17(y): T0) && + (ShStructget1of17(x): T1) == (ShStructget1of17(y): T1) && + (ShStructget2of17(x): T2) == (ShStructget2of17(y): T2) && + (ShStructget3of17(x): T3) == (ShStructget3of17(y): T3) && + (ShStructget4of17(x): T4) == (ShStructget4of17(y): T4) && + (ShStructget5of17(x): T5) == (ShStructget5of17(y): T5) && + (ShStructget6of17(x): T6) == (ShStructget6of17(y): T6) && + (ShStructget7of17(x): T7) == (ShStructget7of17(y): T7) && + (ShStructget8of17(x): T8) == (ShStructget8of17(y): T8) && + (ShStructget9of17(x): T9) == (ShStructget9of17(y): T9) && + (ShStructget10of17(x): T10) == (ShStructget10of17(y): T10) && + (ShStructget11of17(x): T11) == (ShStructget11of17(y): T11) && + (ShStructget12of17(x): T12) == (ShStructget12of17(y): T12) && + (ShStructget13of17(x): T13) == (ShStructget13of17(y): T13) && + (ShStructget14of17(x): T14) == (ShStructget14of17(y): T14) && + (ShStructget15of17(x): T15) == (ShStructget15of17(y): T15) && + (ShStructget16of17(x): T16) == (ShStructget16of17(y): T16))) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget5of17(x): T5) } + (ShStructrev5of17((ShStructget5of17(x): T5)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget4of17(x): T4) } + (ShStructrev4of17((ShStructget4of17(x): T4)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget6of17(x): T6) } + (ShStructrev6of17((ShStructget6of17(x): T6)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget15of17(x): T15) } + (ShStructrev15of17((ShStructget15of17(x): T15)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget9of17(x): T9) } + (ShStructrev9of17((ShStructget9of17(x): T9)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget0of17(x): T0) } + (ShStructrev0of17((ShStructget0of17(x): T0)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget14of17(x): T14) } + (ShStructrev14of17((ShStructget14of17(x): T14)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget13of17(x): T13) } + (ShStructrev13of17((ShStructget13of17(x): T13)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } +} + +domain Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ { + + +} + +domain Emb_1_Intbyte$$$_S_$$$ { + + +} + +domain Emb_2_Intuint8$$$_S_$$$ { + + +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function scap(s: Slice[T]): Int + + function soffset(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + function slen(s: Slice[T]): Int + + axiom deconstructor_over_constructor_array { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a) + } + + axiom { + (forall s: Slice[T] :: + { (soffset(s): Int), (scap(s): Int) } + { (ShArraylen((sarray(s): ShArray[T])): Int) } + (soffset(s): Int) + (scap(s): Int) <= + (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom deconstructor_over_constructor_len { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (slen((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (slen((smake(a, o, l, c): Slice[T])): Int) == l) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom { + (forall s: Slice[T] :: + { (slen(s): Int) } + { (scap(s): Int) } + (slen(s): Int) <= (scap(s): Int)) + } + + axiom deconstructor_over_constructor_offset { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (soffset((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (soffset((smake(a, o, l, c): Slice[T])): Int) == o) + } + + axiom deconstructor_over_constructor_cap { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (scap((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (scap((smake(a, o, l, c): Slice[T])): Int) == c) + } + + axiom { + (forall s: Slice[T] :: + { (sarray(s): ShArray[T]) } + { (soffset(s): Int) } + { (slen(s): Int) } + { (scap(s): Int) } + s == + (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain ShStruct6[T0, T1, T2, T3, T4, T5] { + + function ShStructget1of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T1 + + function ShStructget0of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T0 + + function ShStructrev3of6(v3: T3): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev4of6(v4: T4): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget5of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T5 + + function ShStructget3of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T3 + + function ShStructget2of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T2 + + function ShStructrev0of6(v0: T0): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev2of6(v2: T2): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev1of6(v1: T1): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev5of6(v5: T5): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget4of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T4 + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget3of6(x): T3) } + (ShStructrev3of6((ShStructget3of6(x): T3)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget1of6(x): T1) } + (ShStructrev1of6((ShStructget1of6(x): T1)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5], y: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of6(x): T0) == (ShStructget0of6(y): T0) && + (ShStructget1of6(x): T1) == (ShStructget1of6(y): T1) && + (ShStructget2of6(x): T2) == (ShStructget2of6(y): T2) && + (ShStructget3of6(x): T3) == (ShStructget3of6(y): T3) && + (ShStructget4of6(x): T4) == (ShStructget4of6(y): T4) && + (ShStructget5of6(x): T5) == (ShStructget5of6(y): T5))) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget0of6(x): T0) } + (ShStructrev0of6((ShStructget0of6(x): T0)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget2of6(x): T2) } + (ShStructrev2of6((ShStructget2of6(x): T2)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget5of6(x): T5) } + (ShStructrev5of6((ShStructget5of6(x): T5)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget4of6(x): T4) } + (ShStructrev4of6((ShStructget4of6(x): T4)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraysecond(r: T): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraylen(a: ShArray[T]): Int + + axiom { + (forall a: ShArray[T] :: + { (ShArraylen(a): Int) } + (ShArraylen(a): Int) >= 0) + } + + axiom { + (forall a: ShArray[T], i: Int :: + { (ShArrayloc(a, i): T) } + 0 <= i && i < (ShArraylen(a): Int) ==> + (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && + (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && + (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && + (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && + (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && + (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget4of5(x): T4) } + (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget1of5(x): T1) } + (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget3of5(x): T3) } + (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget2of5(x): T2) } + (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget0of5(x): T0) } + (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget1of4(x): T1) } + (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget3of4(x): T3) } + (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget0of4(x): T0) } + (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && + (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && + (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && + (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget2of4(x): T2) } + (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == + x) + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Emb_3_Intuint8$$$_S_$$$ { + + +} + +domain Tuple0 { + + +} + +domain Emb_6_Intbyte$$$_S_$$$ { + + +} + +domain Emb_4_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain ComparableInterfaceDomain { + + function comparableInterface(i: Tuple2[Ref, Types]): Bool + + axiom { + (forall i: Tuple2[Ref, Types] :: + { comparableInterface(i) } + comparableType_Types((get1of2(i): Types)) ==> comparableInterface(i)) + } +} + +domain Poly[T] { + + function box_Poly(x: T): Ref + + function unbox_Poly(y: Ref): T + + axiom { + (forall x: T :: + { (box_Poly(x): Ref) } + (unbox_Poly((box_Poly(x): Ref)): T) == x) + } +} + +domain String { + + unique function stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e(): Int + + unique function stringLit5468757273646179(): Int + + unique function stringLit5765646e6573646179(): Int + + unique function stringLit61646472(): Int + + unique function stringLit556e6b6e6f776e4e65787448647254797065(): Int + + unique function stringLit496e76616c6964536f7572636541646472657373(): Int + + unique function stringLit45787465726e616c496e74657266616365446f776e(): Int + + unique function stringLit736f757263652061646472657373206d697373696e67(): Int + + unique function stringLit6970(): Int + + unique function stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e(): Int + + unique function stringLit556e6b6e6f776e486f704279486f704f7074696f6e(): Int + + unique function stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468(): Int + + unique function stringLit44657374696e6174696f6e556e726561636861626c65(): Int + + unique function stringLit62756666657220746f6f2073686f7274(): Int + + unique function stringLit5472616365726f7574655265706c79(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e20(): Int + + unique function stringLit496e76616c6964457874656e73696f6e486561646572(): Int + + unique function stringLit5343494f4e20686561646572206d697373696e67(): Int + + unique function stringLit616464724864724c656e(): Int + + unique function stringLit6d696e696e756d5f6c65677468(): Int + + unique function stringLit4e6f6e65(): Int + + unique function stringLit4f63746f626572(): Int + + unique function stringLit5061746845787069726564(): Int + + unique function stringLit4563686f5265706c79(): Int + + unique function stringLit6864724279746573(): Int + + unique function stringLit496e76616c6964486f704669656c644d4143(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit496e76616c69645365676d656e744368616e6765(): Int + + unique function stringLit5061636b6574546f6f426967(): Int + + unique function stringLit62696e6172792e4c6974746c65456e6469616e(): Int + + unique function stringLit424644(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032(): Int + + unique function stringLit496e76616c69645061636b657453697a65(): Int + + unique function stringLit5472616365726f75746552657175657374(): Int + + unique function stringLit556e6b6e6f776e5061746854797065(): Int + + unique function stringLit257328257329(): Int + + unique function stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e(): Int + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit456e6432456e64(): Int + + unique function stringLit4c6974746c65456e6469616e(): Int + + unique function stringLit4d6179(): Int + + unique function stringLit486f704279486f70(): Int + + unique function stringLit686561646572206c656e6774682065786365656473206d6178696d756d(): Int + + unique function stringLit4a616e75617279(): Int + + unique function stringLit6d6178(): Int + + unique function stringLit417072696c(): Int + + unique function stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564(): Int + + unique function stringLit256428256429(): Int + + unique function stringLit4a756e65(): Int + + unique function stringLit467269646179(): Int + + unique function stringLit506172616d6574657250726f626c656d(): Int + + unique function stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572(): Int + + unique function stringLit53657074656d626572(): Int + + unique function stringLit64657374696e6174696f6e2061646472657373206d697373696e67(): Int + + unique function stringLit496e7465726e616c436f6e6e6563746976697479446f776e(): Int + + unique function stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit426967456e6469616e(): Int + + unique function stringLit417567757374(): Int + + unique function stringLit4665627275617279(): Int + + unique function stringLit446563656d626572(): Int + + unique function stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034(): Int + + unique function stringLit556e6b6e6f776e41646472657373466f726d6174(): Int + + unique function stringLit496e76616c6964436f6d6d6f6e486561646572(): Int + + unique function stringLit6c656e(): Int + + unique function stringLit53756e646179(): Int + + unique function stringLit556e6b6e6f776e5343494f4e56657273696f6e(): Int + + unique function stringLit6d696e696d756d(): Int + + unique function stringLit4e6f6e4c6f63616c44656c6976657279(): Int + + unique function stringLit554e4b4e4f574e2028256429(): Int + + unique function stringLit436d644864724c656e(): Int + + unique function stringLit5361747572646179(): Int + + unique function stringLit6578706563746564(): Int + + unique function stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468(): Int + + unique function stringLit257328436f64653a20256429(): Int + + unique function stringLit6d696e(): Int + + unique function stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(): Int + + unique function stringLit4572726f6e656f75734865616465724669656c64(): Int + + unique function stringLit466c6f7749445265717569726564(): Int + + unique function stringLit4d6f6e646179(): Int + + unique function stringLit4a756c79(): Int + + unique function stringLit756470(): Int + + unique function stringLit4563686f52657175657374(): Int + + unique function stringLit(): Int + + unique function stringLit756e737570706f727465642061646472657373(): Int + + unique function stringLit496e76616c696450617468(): Int + + unique function stringLit54756573646179(): Int + + unique function stringLit544350(): Int + + unique function stringLit4e6f76656d626572(): Int + + unique function stringLit556e6b6e6f776e456e64546f456e644f7074696f6e(): Int + + unique function stringLit74797065(): Int + + unique function stringLit496e76616c696441646472657373486561646572(): Int + + unique function stringLit2573282564295c6e5061796c6f61643a202573(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365(): Int + + unique function stringLit4d61726368(): Int + + unique function stringLit53434d50(): Int + + unique function stringLit4f7074696f6e206e6f7420666f756e64(): Int + + unique function stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573(): Int + + unique function stringLit61637475616c(): Int + + unique function stringLit62696e6172792e426967456e6469616e(): Int + + unique function stringLit554450(): Int + + unique function stringLit496e76616c696444657374696e6174696f6e41646472657373(): Int + + axiom { + strLen(stringLit5061746845787069726564()) == 11 + } + + axiom { + strLen(stringLit74797065()) == 4 + } + + axiom { + strLen(stringLit6578706563746564()) == 8 + } + + axiom { + strLen(stringLit756470()) == 3 + } + + axiom { + strLen(stringLit436d644864724c656e()) == 9 + } + + axiom { + strLen(stringLit62696e6172792e426967456e6469616e()) == 16 + } + + axiom { + strLen(stringLit496e76616c696441646472657373486561646572()) == 20 + } + + axiom { + strLen(stringLit257328436f64653a20256429()) == 12 + } + + axiom { + strLen(stringLit4563686f52657175657374()) == 11 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit686561646572206c656e6774682065786365656473206d6178696d756d()) == + 29 + } + + axiom { + strLen(stringLit496e76616c6964457874656e73696f6e486561646572()) == 22 + } + + axiom { + strLen(stringLit61637475616c()) == 6 + } + + axiom { + strLen(stringLit4d61726368()) == 5 + } + + axiom { + strLen(stringLit62696e6172792e4c6974746c65456e6469616e()) == 19 + } + + axiom { + strLen(stringLit467269646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032()) == + 47 + } + + axiom { + strLen(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c()) == + 28 + } + + axiom { + strLen(stringLit554450()) == 3 + } + + axiom { + strLen(stringLit426967456e6469616e()) == 9 + } + + axiom { + strLen(stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e()) == + 32 + } + + axiom { + strLen(stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572()) == + 47 + } + + axiom { + strLen(stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573()) == + 38 + } + + axiom { + strLen(stringLit4a616e75617279()) == 7 + } + + axiom { + strLen(stringLit4d6179()) == 3 + } + + axiom { + strLen(stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564()) == + 39 + } + + axiom { + strLen(stringLit756e737570706f727465642061646472657373()) == 19 + } + + axiom { + strLen(stringLit4f63746f626572()) == 7 + } + + axiom { + strLen(stringLit44657374696e6174696f6e556e726561636861626c65()) == 22 + } + + axiom { + strLen(stringLit496e7465726e616c436f6e6e6563746976697479446f776e()) == + 24 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365()) == + 30 + } + + axiom { + strLen(stringLit466c6f7749445265717569726564()) == 14 + } + + axiom { + strLen(stringLit4a756c79()) == 4 + } + + axiom { + strLen(stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034()) == + 51 + } + + axiom { + strLen(stringLit424644()) == 3 + } + + axiom { + strLen(stringLit486f704279486f70()) == 8 + } + + axiom { + strLen(stringLit53434d50()) == 4 + } + + axiom { + strLen(stringLit556e6b6e6f776e5061746854797065()) == 15 + } + + axiom { + strLen(stringLit456e6432456e64()) == 7 + } + + axiom { + strLen(stringLit5361747572646179()) == 8 + } + + axiom { + strLen(stringLit496e76616c6964436f6d6d6f6e486561646572()) == 19 + } + + axiom { + strLen(stringLit556e6b6e6f776e5343494f4e56657273696f6e()) == 19 + } + + axiom { + strLen(stringLit446563656d626572()) == 8 + } + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + strLen(stringLit5468757273646179()) == 8 + } + + axiom { + strLen(stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit6970()) == 2 + } + + axiom { + strLen(stringLit62756666657220746f6f2073686f7274()) == 16 + } + + axiom { + strLen(stringLit554e4b4e4f574e2028256429()) == 12 + } + + axiom { + strLen(stringLit5472616365726f7574655265706c79()) == 15 + } + + axiom { + strLen(stringLit64657374696e6174696f6e2061646472657373206d697373696e67()) == + 27 + } + + axiom { + strLen(stringLit256428256429()) == 6 + } + + axiom { + strLen(stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468()) == + 47 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e()) == + 52 + } + + axiom { + strLen(stringLit4563686f5265706c79()) == 9 + } + + axiom { + strLen(stringLit53657074656d626572()) == 9 + } + + axiom { + strLen(stringLit5061636b6574546f6f426967()) == 12 + } + + axiom { + strLen(stringLit496e76616c696450617468()) == 11 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365()) == + 31 + } + + axiom { + strLen(stringLit2573282564295c6e5061796c6f61643a202573()) == 19 + } + + axiom { + strLen(stringLit257328257329()) == 6 + } + + axiom { + strLen(stringLit417072696c()) == 5 + } + + axiom { + strLen(stringLit4665627275617279()) == 8 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e20()) == + 26 + } + + axiom { + strLen(stringLit4f7074696f6e206e6f7420666f756e64()) == 16 + } + + axiom { + strLen(stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468()) == + 55 + } + + axiom { + strLen(stringLit53756e646179()) == 6 + } + + axiom { + strLen(stringLit45787465726e616c496e74657266616365446f776e()) == 21 + } + + axiom { + strLen(stringLit4e6f76656d626572()) == 8 + } + + axiom { + strLen(stringLit556e6b6e6f776e41646472657373466f726d6174()) == 20 + } + + axiom { + strLen(stringLit54756573646179()) == 7 + } + + axiom { + strLen(stringLit4d6f6e646179()) == 6 + } + + axiom { + strLen(stringLit556e6b6e6f776e456e64546f456e644f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit496e76616c696444657374696e6174696f6e41646472657373()) == + 25 + } + + axiom { + strLen(stringLit6d696e()) == 3 + } + + axiom { + strLen(stringLit6d6178()) == 3 + } + + axiom { + strLen(stringLit4e6f6e4c6f63616c44656c6976657279()) == 16 + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704279486f704f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit616464724864724c656e()) == 10 + } + + axiom { + strLen(stringLit5472616365726f75746552657175657374()) == 17 + } + + axiom { + strLen(stringLit496e76616c6964536f7572636541646472657373()) == 20 + } + + axiom { + strLen(stringLit4a756e65()) == 4 + } + + axiom { + strLen(stringLit417567757374()) == 6 + } + + axiom { + strLen(stringLit61646472()) == 4 + } + + axiom { + strLen(stringLit4c6974746c65456e6469616e()) == 12 + } + + axiom { + strLen(stringLit4572726f6e656f75734865616465724669656c64()) == 20 + } + + axiom { + strLen(stringLit4e6f6e65()) == 4 + } + + axiom { + strLen(stringLit6d696e696d756d()) == 7 + } + + axiom { + strLen(stringLit496e76616c69645061636b657453697a65()) == 17 + } + + axiom { + strLen(stringLit736f757263652061646472657373206d697373696e67()) == 22 + } + + axiom { + strLen(stringLit6c656e()) == 3 + } + + axiom { + strLen(stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e()) == + 43 + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit5343494f4e20686561646572206d697373696e67()) == 20 + } + + axiom { + strLen(stringLit496e76616c6964486f704669656c644d4143()) == 18 + } + + axiom { + strLen(stringLit556e6b6e6f776e4e65787448647254797065()) == 18 + } + + axiom { + strLen(stringLit5765646e6573646179()) == 9 + } + + axiom { + strLen(stringLit544350()) == 3 + } + + axiom { + strLen(stringLit6d696e696e756d5f6c65677468()) == 13 + } + + axiom { + strLen(stringLit496e76616c69645365676d656e744368616e6765()) == 20 + } + + axiom { + strLen(stringLit506172616d6574657250726f626c656d()) == 16 + } + + axiom { + strLen(stringLit6864724279746573()) == 8 + } +} + +domain PolyAdditionalAxioms { + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[Ref, Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == Path_4cddb96f_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct0) } + (box_Poly((unbox_Poly(y): ShStruct0)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Int) } + (box_Poly((unbox_Poly(y): Int)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == nilDecodeFeedback_b41831d7_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Slice[Ref]) } + (box_Poly((unbox_Poly(y): Slice[Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref) == + y) + } +} + +field Intuint16$$$$_E_$$$: Int + +field Bool$$$$_E_$$$: Bool + +field SliceIntbyte$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint32$$$$_E_$$$: Int + +field SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + +field SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint64$$$$_E_$$$: Int + +field DefinedPath_a6ceb89d_T$$$$_E_$$$: Tuple2[Ref, Types] + +field DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$: Int + +field Intuint8$$$$_E_$$$: Int + +field DefinedType_a6ceb89d_T$$$$_E_$$$: Int + +field PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + +field SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + +field PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field Interfaceempty_interface$$$$_E_$$$: Tuple2[Ref, Types] + +field SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct4[Ref, Ref, Ref, Ref]] + +field PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field DefinedAddrType_840d9458_T$$$$_E_$$$: Int + +field DefinedIA_cd675838_T$$$$_E_$$$: Int + +field Intbyte$$$$_E_$$$: Int + +field Intint$$$$_E_$$$: Int + +field DefinedL4ProtocolType_840d9458_T$$$$_E_$$$: Int + +// decreases _ +function sliceDefault_Intbyte$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_1_Intbyte$$$_S_$$$())) + + +// decreases _ +function shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$(): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$] + ensures (ShStructget0of3(result): Ref) == null && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Emb_3_Intuint8$$$_S_$$$) == + box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(arrayNil_3_Intuint8$$$_S_$$$()) + + +// decreases +function addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Int + requires acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + ensures 0 <= result +{ + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) +} + +// decreases +function assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(b: Bool, + y: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMBase(s_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(s_V0), wildcard) + ensures result >= 4 + ensures result == + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +{ + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +} + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_4_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 4 || + result == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases _ +function shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[Ref, Ref] + ensures (ShStructget0of2(result): Ref) == null && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_4_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 4 || + x == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases +function PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMRaw(s_V0, buf_V0) +} + +// decreases _ +function box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || + x == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases _ +function Len_a6ceb89d_PMrawPath(p_V0: ShStruct2[Ref, Ref], underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) in + (slen((ShStructget0of2(p_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) +} + +// decreases +function assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(b: Bool, y: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref] + requires b +{ + y +} + +// decreases +function Length_840d9458_MAddrType(tl_V0: Int): Int + ensures result == 4 * (1 + BitAnd3_ca158f5e_F(tl_V0)) + ensures tl_V0 == 0 ==> result == 4 + ensures tl_V0 == 4 ==> result == 4 + ensures tl_V0 == 3 ==> result == 4 * 4 +{ + 4 * (1 + intBitwiseAnd(tl_V0, 3)) +} + +// decreases _ +function Len_c385169_PMPath(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + ensures result == 32 +{ + 32 +} + +// decreases +function getPathPure_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + pathType_V0: Int): Tuple2[Ref, Types] + requires 0 <= pathType_V0 && pathType_V0 < 256 + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, wildcard) + requires !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) + requires acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) +{ + (pathType_V0 < + (slen((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ? + (unfolding acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) in + (ShArrayloc((sarray((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + pathType_V0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) : + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) +} + +// decreases _ +function arrayNil_1_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function arrayNil_3_Intuint8$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function assertArg2_Tuple0(b: Bool, y: Tuple0): Tuple0 + requires b +{ + y +} + +// decreases +function PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c6e60a1d_PMPath(p_V0, ubuf_V0) +} + +// decreases _ +function shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + ensures (ShStructget0of2(result): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) == + shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$() && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_3_Intuint8$$$_S_$$$ + requires (ShArraylen(x): Int) == 3 || x == arrayNil_3_Intuint8$$$_S_$$$() + ensures unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases _ +function intBitwiseAnd(left: Int, right: Int): Int + + +// decreases +function BitAnd3_ca158f5e_F(b_V0: Int): Int + ensures 0 <= intBitwiseAnd(b_V0, 3) && intBitwiseAnd(b_V0, 3) <= 3 + ensures b_V0 == 0 ==> result == 0 + ensures b_V0 == 3 ==> result == 3 + ensures b_V0 == 4 ==> result == 0 + ensures result == intBitwiseAnd(b_V0, 3) + + +// decreases _ +function shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$(): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref] + ensures (ShStructget0of3(result): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$]) == + shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Ref) == null + + +// decreases +function assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(b: Bool, + y: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + requires b +{ + y +} + +// decreases _ +function shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$(): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures (ShStructget0of17(result): ShStruct2[Ref, Ref]) == + shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of17(result): Ref) == null && + (ShStructget2of17(result): Ref) == null && + (ShStructget3of17(result): Ref) == null && + (ShStructget4of17(result): Ref) == null && + (ShStructget5of17(result): Ref) == null && + (ShStructget6of17(result): Ref) == null && + (ShStructget7of17(result): Ref) == null && + (ShStructget8of17(result): Ref) == null && + (ShStructget9of17(result): Ref) == null && + (ShStructget10of17(result): Ref) == null && + (ShStructget11of17(result): Ref) == null && + (ShStructget12of17(result): Ref) == null && + (ShStructget13of17(result): Ref) == null && + (ShStructget14of17(result): Ref) == null && + (ShStructget15of17(result): Ref) == null && + (ShStructget16of17(result): Ref) == null + + +function ssliceFromArray_Ref(a: ShArray[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (ShArraylen(a): Int) + ensures (soffset(result): Int) == i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (ShArraylen(a): Int) - i + ensures (sarray(result): ShArray[Ref]) == a + + +// decreases _ +function Len_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures !hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> result == 16 + ensures hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> + result == + 16 + + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMRaw((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, + ssliceFromSlice_Ref(ubuf_V0, 16, (slen(ubuf_V0): Int)))) + + +// decreases +function Has3Bits_840d9458_MAddrType(a_V0: Int): Bool +{ + 0 <= a_V0 && a_V0 <= 7 +} + +// decreases _ +function ssliceFromSlice_Ref(s: Slice[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (scap(s): Int) + ensures (soffset(result): Int) == (soffset(s): Int) + i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (scap(s): Int) - i + ensures (sarray(result): ShArray[Ref]) == (sarray(s): ShArray[Ref]) + + +// decreases _ +function Len_daeaf66a_PMRaw(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases +function AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + (unfolding acc(HeaderMem_840d9458_PMSCION(s_V0, ssliceFromSlice_Ref(ubuf_V0, + 12, (slen(ubuf_V0): Int))), wildcard) in + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$))) +} + +// decreases _ +function typeOfInterface_Y$558431e4_a6ceb89d_(itf: Tuple2[Ref, Types]): Types + ensures result == (get1of2(itf): Types) + ensures behavioral_subtype_Types(result, Y$558431e4_a6ceb89d__Types()) + + +// decreases _ +function sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$())) + + +// decreases _ +function unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(y: Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases +function assertArg2_ShStruct2_RefRef(b: Bool, y: ShStruct2[Ref, Ref]): ShStruct2[Ref, Ref] + requires b +{ + y +} + +// decreases +function IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf), wildcard) + + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(y: Emb_4_Interfaceempty_interface$$$$_E_$$$): Seq[Tuple2[Ref, Types]] + ensures |result| == 4 + ensures box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + y + + +// decreases _ +function arrayNil_4_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), pointer_Types(Path_c385169_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c385169_PMPath(o_V0, ubuf_V0) +} + +// decreases +function getNumHops_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases +function getNumINF_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result && result <= 3 +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases _ +function Len_4cddb96f_MPath(o_V0: Tuple0, underlyingBuf_V0: Slice[Ref]): Int + ensures 0 <= result +{ + 0 +} + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(x: Seq[Tuple2[Ref, Types]]): Emb_4_Interfaceempty_interface$$$$_E_$$$ + requires |x| == 4 + ensures unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + x + + +// decreases _ +function Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf: Tuple2[Ref, Types], + underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 + + +// decreases _ +function arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function hasScionPath_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + buf_V0: Slice[Ref]): Bool + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result == + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +} + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +// decreases +function pathPoolInitialized_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Bool + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) +{ + !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) +} + +// decreases +function PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct2[Ref, Ref], + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_a6ceb89d_PMrawPath(p_V0, underlyingBuf_V0) +} + +// decreases +function Len_a6ceb89d_SY$558431e4_a6ceb89d_(thisItf: Tuple2[Ref, Types], underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 +{ + (true ? + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ? + Len_a6ceb89d_PMrawPath(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(rawPath_a6ceb89d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Raw_daeaf66a_T_Types()) ? + Len_daeaf66a_PMRaw(assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Raw_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c6e60a1d_T_Types()) ? + Len_c6e60a1d_PMPath(assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c6e60a1d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c385169_T_Types()) ? + Len_c385169_PMPath(assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c385169_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + Len_daeaf66a_PMDecoded(assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Decoded_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + Path_4cddb96f_T_Types() ? + Len_4cddb96f_MPath(assertArg2_Tuple0(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + Path_4cddb96f_T_Types()), (unbox_Poly((get0of2(thisItf): Ref)): Tuple0)), + underlyingBuf_V0) : + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, + underlyingBuf_V0)))))))) +} + +// decreases _ +function unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_1_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_Intbyte$$$_S_$$$() + ensures box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +// decreases _ +function box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || x == arrayNil_1_Intbyte$$$_S_$$$() + ensures unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases +function PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMDecoded(d_V0, ubuf_V0) +} + +// decreases +function AddrHdrLen_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref], insideSlayers_V0: Bool): Int + requires insideSlayers_V0 ==> + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires insideSlayers_V0 ==> + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires !insideSlayers_V0 ==> + acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures insideSlayers_V0 ==> + result == addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) + ensures !insideSlayers_V0 ==> + result == AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0, ubuf_V0) + ensures 0 <= result + + +// decreases +function assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(b: Bool, + y: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMDecoded(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases +function DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: Tuple0, + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), Path_4cddb96f_T_Types()): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_4cddb96f_MPath(o_V0, underlyingBuf_V0) +} + +// decreases _ +function unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(y: Emb_3_Intuint8$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 3 || + result == arrayNil_3_Intuint8$$$_S_$$$() + ensures box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == y + + +predicate dynamic_pred_0(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == pointer_Types(EndToEndExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMEndToEndOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(EndToEndExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMHopByHopOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == pointer_Types(SCION_840d9458_T_Types()) ? + acc((ShStructget1of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget2of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget4of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget6of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write) && + acc((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ && + 0 <= + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) && + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 <= + (slen(x0): Int) && + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 && + acc((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(dynamic_pred_6((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)), write) && + (let fn$$0 == + ((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + (ShStructget0of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4) && + (ShStructget1of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4, (slen(x0): Int)) && + 12 <= (slen(x0): Int) && + acc(HeaderMem_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + ssliceFromSlice_Ref(x0, 12, (slen(x0): Int))), write) && + 0 <= + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ && + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ < + 256 && + acc((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + (!pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + acc(PathPoolMem_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + (pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + !((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + !((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$), write) && + (ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + getPathPure_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$)) && + (typeOfInterface_Y$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) ==> + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)) <= + (slen(x0): Int)) : + ((get1of2(i): Types) == pointer_Types(SCMP_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$()) ==> + acc(ChecksumMem_840d9458_PMSCION((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$), write)) : + ((get1of2(i): Types) == + pointer_Types(SCMPDestinationUnreachable_840d9458_T_Types()) ? + acc(Mem_840d9458_PMBaseLayer((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct2[Ref, Ref]])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPEcho_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 16), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 24), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPPacketTooBig_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPParameterProblem_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPTraceroute_840d9458_T_Types()) ? + acc((ShStructget1of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget4of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 20), write) : + ((get1of2(i): Types) == + Payload_b41831d7_T_Types() ? + x0 == + (unbox_Poly((get0of2(i): Ref)): Slice[Ref]) : + acc(dynamic_pred_0_unknown(i, x0), write))))))))))))))) +} + +predicate Mem_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) { + acc((ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget0of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget1of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 0): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 1): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 2): Ref).Intuint8$$$$_E_$$$, write) && + 0 <= (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ && + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ <= 3 && + 0 <= (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$ && + (0 < (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ ==> + 0 < (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +predicate HeaderMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) { + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) <= (slen(ubuf_V0): Int) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) == + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) <= + (slen(ubuf_V0): Int) && + 0 < + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < 2 * 8 && + 2 * 8 < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) <= + (slen(ubuf_V0): Int) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) && + (ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$), + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) +} + +predicate AbsSlice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int) { + 0 <= start_V0 && start_V0 <= end_V0 && end_V0 <= (scap(s_V0): Int) && + (forall i_V1: Int :: + { (ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), i_V1)): Ref) } + start_V0 <= i_V1 && i_V1 < end_V0 ==> + acc((ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, write)) +} + +predicate PathPoolMemExceptOne_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types], + pathType_V0: Int) { + !(pathPool_V0 == sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + (slen(pathPool_V0): Int) == 4 && + (acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + Path_4cddb96f_T_Types()) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) && + (!(pathType_V0 == 2) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Raw_daeaf66a_T_Types()) && + (!(pathType_V0 == 1) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c6e60a1d_T_Types()) && + (!(pathType_V0 == 3) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + !(pathPoolRaw_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + (pathType_V0 < (slen(pathPool_V0): Int) ==> + acc(dynamic_pred_2(pathPoolRaw_V0), write)) +} + +predicate dynamic_pred_6(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == Path_4cddb96f_T_Types() ? + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(Path_4cddb96f_T_Types()) ? + (let fn$$0 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct0)) in + true) && + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(rawPath_a6ceb89d_T_Types()) ? + (let fn$$1 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$1): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$1): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write)) && + (ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + x0 : + ((get1of2(i): Types) == pointer_Types(Path_c385169_T_Types()) ? + (let fn$$2 == + ((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct4[Ref, Ref, Ref, Ref])) in + acc((ShStructget0of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget1of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$2): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$2): Ref).Intuint32$$$$_E_$$$, write)) && + acc(Mem_a6ceb89d_PMHopField((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + acc(Mem_a6ceb89d_PMHopField((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + 32 <= (slen(x0): Int) : + ((get1of2(i): Types) == pointer_Types(Path_c6e60a1d_T_Types()) ? + (let fn$$3 == + ((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write)) && + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, write) && + !((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$()) && + 16 <= (slen(x0): Int) && + acc(dynamic_pred_6((tuple2((box_Poly((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$): Ref), + pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), ssliceFromSlice_Ref(x0, + 16, (slen(x0): Int))), write) : + ((get1of2(i): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) <= + 3 && + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget0of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget1of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget2of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget3of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write))) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumHops_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + (forall i_V2: Int :: + { (ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) } + 0 <= i_V2 && + i_V2 < + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_a6ceb89d_PMHopField((ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write)) : + ((get1of2(i): Types) == pointer_Types(Raw_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) <= + (slen(x0): Int) && + (ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + Len_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) : + acc(dynamic_pred_6_unknown(i, x0), write)))))))) +} + +predicate dynamic_pred_0_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate ChecksumMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) + +predicate Mem_840d9458_PMHopByHopOption(o_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2325_V0: Int) + +predicate Mem_840d9458_PMextnBase(e_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) + +predicate Mem_a6ceb89d_PMHopField(h_V0: ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) + +predicate Mem_840d9458_PMEndToEndOption(e_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2372_V0: Int) + +predicate PathPoolMem_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types]) + +predicate ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +predicate Mem_840d9458_PMBaseLayer(b_V0: ShStruct2[Ref, Ref], ub_V0: Slice[Ref], + breakPoint_V0: Int) + +predicate dynamic_pred_6_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate dynamic_pred_2(i: Tuple2[Ref, Types]) + +// decreases +method SplitRange_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires 0 <= start_V0 && start_V0 <= end_V0 && + end_V0 <= (slen(s_V0): Int) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, (slen(s_V0): Int)), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, end_V0 - start_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, start_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, end_V0, (slen(s_V0): Int)), p_V0) + + +// decreases _ +method copy_BFSliceIntbyte$$$_S_$$$$$$$_E_$$$_SliceIntbyte$$$_S_$$$$$$$_E_$$$_Permission$$$$_E_$$$(dst: Slice[Ref], + src: Slice[Ref], p: Perm) + returns (res: Int) + requires none < p + requires (forall i1: Int :: + { (ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), i1)): Ref) } + i1 >= 0 && i1 < (slen(dst): Int) ==> + acc((ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), + i1)): Ref).Intbyte$$$$_E_$$$, write)) + requires (forall i2: Int :: + { (ShArrayloc((sarray(src): ShArray[Ref]), sadd((soffset(src): Int), i2)): Ref) } + i2 >= 0 && i2 < (slen(src): Int) ==> + acc((ShArrayloc((sarray(src): ShArray[Ref]), sadd((soffset(src): Int), + i2)): Ref).Intbyte$$$$_E_$$$, p)) + ensures (slen(dst): Int) <= (slen(src): Int) ==> (slen(dst): Int) == res + ensures (slen(src): Int) < (slen(dst): Int) ==> (slen(src): Int) == res + ensures (forall i1: Int :: + { (ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), i1)): Ref) } + i1 >= 0 && i1 < (slen(dst): Int) ==> + acc((ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), + i1)): Ref).Intbyte$$$$_E_$$$, write)) + ensures (forall i2: Int :: + { (ShArrayloc((sarray(src): ShArray[Ref]), sadd((soffset(src): Int), i2)): Ref) } + i2 >= 0 && i2 < (slen(src): Int) ==> + acc((ShArrayloc((sarray(src): ShArray[Ref]), sadd((soffset(src): Int), + i2)): Ref).Intbyte$$$$_E_$$$, p)) + ensures (forall i3: Int :: + { (ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), i3)): Ref) } + i3 >= 0 && i3 < (slen(src): Int) && + (i3 >= 0 && i3 < (slen(dst): Int)) ==> + (ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), i3)): Ref).Intbyte$$$$_E_$$$ == + old((ShArrayloc((sarray(src): ShArray[Ref]), sadd((soffset(src): Int), + i3)): Ref).Intbyte$$$$_E_$$$)) + ensures (forall i4: Int :: + { (ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), i4)): Ref) } + i4 >= (slen(src): Int) && i4 < (slen(dst): Int) ==> + (ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), i4)): Ref).Intbyte$$$$_E_$$$ == + old((ShArrayloc((sarray(dst): ShArray[Ref]), sadd((soffset(dst): Int), + i4)): Ref).Intbyte$$$$_E_$$$)) + + +// decreases +method CombineRange_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires 0 <= start_V0 && start_V0 <= end_V0 && + end_V0 <= (slen(s_V0): Int) + requires acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, end_V0 - start_V0), p_V0) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, start_V0), p_V0) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, end_V0, (slen(s_V0): Int)), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, (slen(s_V0): Int)), p_V0) + + +// decreases +method SerializeAddrHdr_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + buf_V0: Slice[Ref], ubuf_V0: Slice[Ref]) + returns (err_V0: Tuple2[Ref, Types]) + requires acc(HeaderMem_840d9458_PMSCION(s_V0, ubuf_V0), 1 / 4096) + requires acc(AbsSlice_Bytes_e630ae22_F(buf_V0, 0, (slen(buf_V0): Int)), write) + requires acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), 1 / + 4096) + ensures acc(HeaderMem_840d9458_PMSCION(s_V0, ubuf_V0), 1 / 4096) + ensures acc(AbsSlice_Bytes_e630ae22_F(buf_V0, 0, (slen(buf_V0): Int)), write) + ensures acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), 1 / + 4096) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(err_V0), write) +{ + inhale err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl s_V0_CN0: *SCION_840d9458_T@°°, buf_V0_CN1: []byte@°°, ubuf_V0_CN2: []byte@°°, err_V0_CN3: error_a4af0e5e_T°° + var err_V0_CN3: Tuple2[Ref, Types] + var ubuf_V0_CN2: Slice[Ref] + var buf_V0_CN1: Slice[Ref] + var s_V0_CN0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + + + var fn$$0_activation: Bool + var fn$$0_0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var fn$$0_1: Slice[Ref] + var fn$$0_2: Perm + fn$$0_activation := false + + // init s_V0_CN0 + inhale s_V0_CN0 == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$() + + // init buf_V0_CN1 + inhale buf_V0_CN1 == sliceDefault_Intbyte$$$_S_$$$() + + // init ubuf_V0_CN2 + inhale ubuf_V0_CN2 == sliceDefault_Intbyte$$$_S_$$$() + + // init err_V0_CN3 + inhale err_V0_CN3 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // s_V0_CN0 = s_V0 + s_V0_CN0 := s_V0 + + // buf_V0_CN1 = buf_V0 + buf_V0_CN1 := buf_V0 + + // ubuf_V0_CN2 = ubuf_V0 + ubuf_V0_CN2 := ubuf_V0 + + // decl dstAddrBytes_V1: int°°, srcAddrBytes_V1: int°°, offset_V1: int°°, N10: int°°, N11: int°° + var N11: Int + var N10: Int + var offset_V1: Int + var srcAddrBytes_V1: Int + var dstAddrBytes_V1: Int + + // unfold acc(s_V0_CN0.HeaderMem(ubuf_V0_CN2), perm(1/4096)) + unfold acc(HeaderMem_840d9458_PMSCION(s_V0_CN0, ubuf_V0_CN2), 1 / 4096) + + // defer fold acc(s_V0_CN0.HeaderMem(ubuf_V0_CN2), perm(1/4096)) + fn$$0_0 := s_V0_CN0 + fn$$0_1 := ubuf_V0_CN2 + fn$$0_2 := 1 / 4096 + fn$$0_activation := true + + // if(len(buf_V0_CN1) < s_V0_CN0.AddrHdrLen((nil:[]byte@°), true)) {...} else {...} + if ((slen(buf_V0_CN1): Int) < + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true)) { + + // decl N6: []interface{ name is empty_interface }@°°, N7: error_a4af0e5e_T°° + var N7: Tuple2[Ref, Types] + var N6: Slice[Ref] + + // N6 = new([]interface{ name is empty_interface }@ { 0:toInterface("expected"), 1:toInterface(s_V0_CN0.AddrHdrLen((nil:[]byte@°), true)), 2:toInterface("actual"), 3:toInterface(len(buf_V0_CN1)) }) + var fn$$1: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$3: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$4: Emb_4_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$2: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$1), + fn$$2): Ref) } + 0 <= fn$$2 && fn$$2 < 4 ==> + acc((ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$1), + fn$$2): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$1 == + box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_4_Interfaceempty_interface$$$_S_$$$())) + fn$$3 := fn$$1 + fn$$4 := box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit6578706563746564()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(AddrHdrLen_840d9458_PMSCION(s_V0_CN0, + sliceDefault_Intbyte$$$_S_$$$(), true)): Ref), int_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly(stringLit61637475616c()): Ref), string_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly((slen(buf_V0_CN1): Int)): Ref), integer_Types()): Tuple2[Ref, Types]))) + inhale (forall fn$$5: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$3), + fn$$5): Ref) } + { unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$4)[fn$$5] } + 0 <= fn$$5 && fn$$5 < 4 ==> + (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$3), + fn$$5): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$4)[fn$$5]) + N6 := ssliceFromArray_Ref(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$1), + 0, 4) + + // N7 = New_bfd5223e_F("provided buffer is too small", N6) + N7 := New_bfd5223e_F(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(), + N6) + + // err_V0_CN3 = N7 + err_V0_CN3 := N7 + + // return + goto returnLabel + } + + // init dstAddrBytes_V1 + inhale dstAddrBytes_V1 == 0 + + // dstAddrBytes_V1 = *s_V0_CN0.DstAddrTypeA.Length() + dstAddrBytes_V1 := Length_840d9458_MAddrType((ShStructget8of17(s_V0_CN0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + // init srcAddrBytes_V1 + inhale srcAddrBytes_V1 == 0 + + // srcAddrBytes_V1 = *s_V0_CN0.SrcAddrTypeA.Length() + srcAddrBytes_V1 := Length_840d9458_MAddrType((ShStructget9of17(s_V0_CN0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + // init offset_V1 + inhale offset_V1 == 0 + + // offset_V1 = 0 + offset_V1 := 0 + + // SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, len(buf_V0_CN1), write) + SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, (slen(buf_V0_CN1): Int), + write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:len(buf_V0_CN1)], 0, len(buf_V0_CN1[offset_V1:len(buf_V0_CN1)]))) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int)), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int))): Int)), write) + + // 0PutUint64(buf_V0_CN1[offset_V1:len(buf_V0_CN1)], uint64°(*s_V0_CN0.DstIAA)) + PutUint64_72f0d887_MbigEndian(0, ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int)), (ShStructget10of17(s_V0_CN0): Ref).DefinedIA_cd675838_T$$$$_E_$$$) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:len(buf_V0_CN1)], 0, len(buf_V0_CN1[offset_V1:len(buf_V0_CN1)]))) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int)), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int))): Int)), write) + + // CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, len(buf_V0_CN1), write) + CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, (slen(buf_V0_CN1): Int), + write) + + // offset_V1 = offset_V1 + 8 + offset_V1 := offset_V1 + 8 + + // SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, len(buf_V0_CN1), write) + SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, (slen(buf_V0_CN1): Int), + write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:len(buf_V0_CN1)], 0, len(buf_V0_CN1[offset_V1:len(buf_V0_CN1)]))) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int)), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int))): Int)), write) + + // 0PutUint64(buf_V0_CN1[offset_V1:len(buf_V0_CN1)], uint64°(*s_V0_CN0.SrcIAA)) + PutUint64_72f0d887_MbigEndian(0, ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int)), (ShStructget11of17(s_V0_CN0): Ref).DefinedIA_cd675838_T$$$$_E_$$$) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:len(buf_V0_CN1)], 0, len(buf_V0_CN1[offset_V1:len(buf_V0_CN1)]))) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int)), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + (slen(buf_V0_CN1): Int))): Int)), write) + + // CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, len(buf_V0_CN1), write) + CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, (slen(buf_V0_CN1): Int), + write) + + // offset_V1 = offset_V1 + 8 + offset_V1 := offset_V1 + 8 + + // SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + dstAddrBytes_V1, write) + SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + + dstAddrBytes_V1, write) + + // SplitRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + dstAddrBytes_V1, perm(1/4096)) + SplitRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + + dstAddrBytes_V1, 1 / 4096) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:offset_V1 + dstAddrBytes_V1], 0, len(buf_V0_CN1[offset_V1:offset_V1 + dstAddrBytes_V1]))) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + dstAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + dstAddrBytes_V1)): Int)), write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0_CN2[offset_V1:offset_V1 + dstAddrBytes_V1], 0, len(ubuf_V0_CN2[offset_V1:offset_V1 + dstAddrBytes_V1])), perm(1/4096)) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(ubuf_V0_CN2, offset_V1, + offset_V1 + dstAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(ubuf_V0_CN2, + offset_V1, offset_V1 + dstAddrBytes_V1)): Int)), 1 / 4096) + + // N10 = copy_BFSliceIntbyte$$$_S_$$$$$$$_E_$$$_SliceIntbyte$$$_S_$$$$$$$_E_$$$_Permission$$$$_E_$$$(buf_V0_CN1[offset_V1:offset_V1 + dstAddrBytes_V1], *s_V0_CN0.RawDstAddrA, perm(1/4096)) + N10 := copy_BFSliceIntbyte$$$_S_$$$$$$$_E_$$$_SliceIntbyte$$$_S_$$$$$$$_E_$$$_Permission$$$$_E_$$$(ssliceFromSlice_Ref(buf_V0_CN1, + offset_V1, offset_V1 + dstAddrBytes_V1), (ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 1 / 4096) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:offset_V1 + dstAddrBytes_V1], 0, len(buf_V0_CN1[offset_V1:offset_V1 + dstAddrBytes_V1]))) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + dstAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + dstAddrBytes_V1)): Int)), write) + + // fold acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0_CN2[offset_V1:offset_V1 + dstAddrBytes_V1], 0, len(ubuf_V0_CN2[offset_V1:offset_V1 + dstAddrBytes_V1])), perm(1/4096)) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(ubuf_V0_CN2, offset_V1, + offset_V1 + dstAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(ubuf_V0_CN2, + offset_V1, offset_V1 + dstAddrBytes_V1)): Int)), 1 / 4096) + + // CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + dstAddrBytes_V1, write) + CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + + dstAddrBytes_V1, write) + + // CombineRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + dstAddrBytes_V1, perm(1/4096)) + CombineRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + + dstAddrBytes_V1, 1 / 4096) + + // offset_V1 = offset_V1 + dstAddrBytes_V1 + offset_V1 := offset_V1 + dstAddrBytes_V1 + + // SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + srcAddrBytes_V1, write) + SplitRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + + srcAddrBytes_V1, write) + + // SplitRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + srcAddrBytes_V1, perm(1/4096)) + SplitRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + + srcAddrBytes_V1, 1 / 4096) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:offset_V1 + srcAddrBytes_V1], 0, len(buf_V0_CN1[offset_V1:offset_V1 + srcAddrBytes_V1]))) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + srcAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + srcAddrBytes_V1)): Int)), write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0_CN2[offset_V1:offset_V1 + srcAddrBytes_V1], 0, len(ubuf_V0_CN2[offset_V1:offset_V1 + srcAddrBytes_V1])), perm(1/4096)) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(ubuf_V0_CN2, offset_V1, + offset_V1 + srcAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(ubuf_V0_CN2, + offset_V1, offset_V1 + srcAddrBytes_V1)): Int)), 1 / 4096) + + // N11 = copy_BFSliceIntbyte$$$_S_$$$$$$$_E_$$$_SliceIntbyte$$$_S_$$$$$$$_E_$$$_Permission$$$$_E_$$$(buf_V0_CN1[offset_V1:offset_V1 + srcAddrBytes_V1], *s_V0_CN0.RawSrcAddrA, perm(1/4096)) + N11 := copy_BFSliceIntbyte$$$_S_$$$$$$$_E_$$$_SliceIntbyte$$$_S_$$$$$$$_E_$$$_Permission$$$$_E_$$$(ssliceFromSlice_Ref(buf_V0_CN1, + offset_V1, offset_V1 + srcAddrBytes_V1), (ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 1 / 4096) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V0_CN1[offset_V1:offset_V1 + srcAddrBytes_V1], 0, len(buf_V0_CN1[offset_V1:offset_V1 + srcAddrBytes_V1]))) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + srcAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(buf_V0_CN1, offset_V1, + offset_V1 + srcAddrBytes_V1)): Int)), write) + + // fold acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0_CN2[offset_V1:offset_V1 + srcAddrBytes_V1], 0, len(ubuf_V0_CN2[offset_V1:offset_V1 + srcAddrBytes_V1])), perm(1/4096)) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(ubuf_V0_CN2, offset_V1, + offset_V1 + srcAddrBytes_V1), 0, (slen(ssliceFromSlice_Ref(ubuf_V0_CN2, + offset_V1, offset_V1 + srcAddrBytes_V1)): Int)), 1 / 4096) + + // CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + srcAddrBytes_V1, write) + CombineRange_Bytes_e630ae22_F(buf_V0_CN1, offset_V1, offset_V1 + + srcAddrBytes_V1, write) + + // CombineRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + srcAddrBytes_V1, perm(1/4096)) + CombineRange_Bytes_e630ae22_F(ubuf_V0_CN2, offset_V1, offset_V1 + + srcAddrBytes_V1, 1 / 4096) + + // err_V0_CN3 = (nil:error_a4af0e5e_T°) + err_V0_CN3 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // return + goto returnLabel + label returnLabel + if (fn$$0_activation) { + + // fold acc(fn$$0_0.HeaderMem(fn$$0_1), fn$$0_2) + fold acc(HeaderMem_840d9458_PMSCION(fn$$0_0, fn$$0_1), fn$$0_2) + } + + // err_V0 = err_V0_CN3 + err_V0 := err_V0_CN3 +} + +// decreases _ +method PutUint64_72f0d887_MbigEndian(e_V0: Int, b_V0: Slice[Ref], v_V0: Int) + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 2)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 3)): Ref).Intbyte$$$$_E_$$$, write) + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 4)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 5)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 6)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 7)): Ref).Intbyte$$$$_E_$$$, write) + ensures acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 2)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 3)): Ref).Intbyte$$$$_E_$$$, write) + ensures acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 4)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 5)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 6)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 7)): Ref).Intbyte$$$$_E_$$$, write) + + +// decreases _ +method New_bfd5223e_F(msg_V0: Int, errCtx_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0) diff --git a/src/test/resources/biabduction/frontends/gobra/scion_SerializeTo.vpr b/src/test/resources/biabduction/frontends/gobra/scion_SerializeTo.vpr new file mode 100644 index 00000000..f501004d --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/scion_SerializeTo.vpr @@ -0,0 +1,4287 @@ +domain ShStruct2[T0, T1] { + + function ShStructget1of2(x: ShStruct2[T0, T1]): T1 + + function ShStructget0of2(x: ShStruct2[T0, T1]): T0 + + function ShStructrev1of2(v1: T1): ShStruct2[T0, T1] + + function ShStructrev0of2(v0: T0): ShStruct2[T0, T1] + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget1of2(x): T1) } + (ShStructrev1of2((ShStructget1of2(x): T1)): ShStruct2[T0, T1]) == x) + } + + axiom { + (forall x: ShStruct2[T0, T1], y: ShStruct2[T0, T1] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of2(x): T0) == (ShStructget0of2(y): T0) && + (ShStructget1of2(x): T1) == (ShStructget1of2(y): T1))) + } + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget0of2(x): T0) } + (ShStructrev0of2((ShStructget0of2(x): T0)): ShStruct2[T0, T1]) == x) + } +} + +domain Emb_2_Interfaceempty_interface$$$$_E_$$$ { + + +} + +domain Emb_2_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain ShStruct0 { + + axiom { + (forall x: ShStruct0, y: ShStruct0 :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == true) + } +} + +domain Emb_4_Interfaceempty_interface$$$$_E_$$$ { + + +} + +domain ShStruct1[T0] { + + function ShStructget0of1(x: ShStruct1[T0]): T0 + + function ShStructrev0of1(v0: T0): ShStruct1[T0] + + axiom { + (forall x: ShStruct1[T0] :: + { (ShStructget0of1(x): T0) } + (ShStructrev0of1((ShStructget0of1(x): T0)): ShStruct1[T0]) == x) + } + + axiom { + (forall x: ShStruct1[T0], y: ShStruct1[T0] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of1(x): T0) == (ShStructget0of1(y): T0))) + } +} + +domain ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] { + + function ShStructget4of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T4 + + function ShStructget10of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T10 + + function ShStructrev4of17(v4: T4): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev10of17(v10: T10): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev13of17(v13: T13): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget5of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T5 + + function ShStructrev0of17(v0: T0): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev2of17(v2: T2): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget6of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T6 + + function ShStructrev1of17(v1: T1): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev15of17(v15: T15): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget7of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T7 + + function ShStructrev14of17(v14: T14): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget8of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T8 + + function ShStructrev7of17(v7: T7): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget2of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T2 + + function ShStructget11of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T11 + + function ShStructrev12of17(v12: T12): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev11of17(v11: T11): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget3of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T3 + + function ShStructrev9of17(v9: T9): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev8of17(v8: T8): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev5of17(v5: T5): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev3of17(v3: T3): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget16of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T16 + + function ShStructget14of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T14 + + function ShStructget13of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T13 + + function ShStructrev16of17(v16: T16): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev6of17(v6: T6): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget9of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T9 + + function ShStructget12of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T12 + + function ShStructget0of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T0 + + function ShStructget1of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T1 + + function ShStructget15of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T15 + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget10of17(x): T10) } + (ShStructrev10of17((ShStructget10of17(x): T10)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget1of17(x): T1) } + (ShStructrev1of17((ShStructget1of17(x): T1)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget2of17(x): T2) } + (ShStructrev2of17((ShStructget2of17(x): T2)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget16of17(x): T16) } + (ShStructrev16of17((ShStructget16of17(x): T16)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget8of17(x): T8) } + (ShStructrev8of17((ShStructget8of17(x): T8)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget3of17(x): T3) } + (ShStructrev3of17((ShStructget3of17(x): T3)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget12of17(x): T12) } + (ShStructrev12of17((ShStructget12of17(x): T12)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget7of17(x): T7) } + (ShStructrev7of17((ShStructget7of17(x): T7)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget11of17(x): T11) } + (ShStructrev11of17((ShStructget11of17(x): T11)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16], + y: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of17(x): T0) == (ShStructget0of17(y): T0) && + (ShStructget1of17(x): T1) == (ShStructget1of17(y): T1) && + (ShStructget2of17(x): T2) == (ShStructget2of17(y): T2) && + (ShStructget3of17(x): T3) == (ShStructget3of17(y): T3) && + (ShStructget4of17(x): T4) == (ShStructget4of17(y): T4) && + (ShStructget5of17(x): T5) == (ShStructget5of17(y): T5) && + (ShStructget6of17(x): T6) == (ShStructget6of17(y): T6) && + (ShStructget7of17(x): T7) == (ShStructget7of17(y): T7) && + (ShStructget8of17(x): T8) == (ShStructget8of17(y): T8) && + (ShStructget9of17(x): T9) == (ShStructget9of17(y): T9) && + (ShStructget10of17(x): T10) == (ShStructget10of17(y): T10) && + (ShStructget11of17(x): T11) == (ShStructget11of17(y): T11) && + (ShStructget12of17(x): T12) == (ShStructget12of17(y): T12) && + (ShStructget13of17(x): T13) == (ShStructget13of17(y): T13) && + (ShStructget14of17(x): T14) == (ShStructget14of17(y): T14) && + (ShStructget15of17(x): T15) == (ShStructget15of17(y): T15) && + (ShStructget16of17(x): T16) == (ShStructget16of17(y): T16))) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget5of17(x): T5) } + (ShStructrev5of17((ShStructget5of17(x): T5)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget4of17(x): T4) } + (ShStructrev4of17((ShStructget4of17(x): T4)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget6of17(x): T6) } + (ShStructrev6of17((ShStructget6of17(x): T6)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget15of17(x): T15) } + (ShStructrev15of17((ShStructget15of17(x): T15)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget9of17(x): T9) } + (ShStructrev9of17((ShStructget9of17(x): T9)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget0of17(x): T0) } + (ShStructrev0of17((ShStructget0of17(x): T0)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget14of17(x): T14) } + (ShStructrev14of17((ShStructget14of17(x): T14)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget13of17(x): T13) } + (ShStructrev13of17((ShStructget13of17(x): T13)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } +} + +domain Types { + + unique function HostNone_cd675838_T_Types_tag(): Int + + unique function bigEndian_72f0d887_T_Types_tag(): Int + + function tag_Types(t: Types): Int + + function Y$8f734176_14a7fb6d__Types(): Types + + unique function nil_Types_tag(): Int + + function rawPath_a6ceb89d_T_Types(): Types + + function SCMPDestinationUnreachable_840d9458_T_Types(): Types + + unique function nilDecodeFeedback_b41831d7_T_Types_tag(): Int + + function Path_c6e60a1d_T_Types(): Types + + unique function Y$49c4c25f_d3743b4f__Types_tag(): Int + + unique function HopByHopExtnSkipper_840d9458_T_Types_tag(): Int + + unique function IA_cd675838_T_Types_tag(): Int + + unique function Y$558431e4_a6ceb89d__Types_tag(): Int + + unique function LayerType_b41831d7_T_Types_tag(): Int + + function string_Types(): Types + + unique function Path_c385169_T_Types_tag(): Int + + function HostNone_cd675838_T_Types(): Types + + unique function Y$6914870a_b41831d7__Types_tag(): Int + + function SCMPTypeCode_840d9458_T_Types(): Types + + function Payload_b41831d7_T_Types(): Types + + function Y$17800ab4_b41831d7__Types(): Types + + function nil_Types(): Types + + unique function Y$17800ab4_b41831d7__Types_tag(): Int + + unique function HostIPv6_cd675838_T_Types_tag(): Int + + function IPAddr_5c610647_T_Types(): Types + + function uint16_Types(): Types + + unique function Path_c6e60a1d_T_Types_tag(): Int + + unique function int_Types_tag(): Int + + unique function SCMP_840d9458_T_Types_tag(): Int + + function SCMPEcho_840d9458_T_Types(): Types + + unique function HopByHopExtn_840d9458_T_Types_tag(): Int + + function AddrType_840d9458_T_Types(): Types + + function Y$68d3cee9_b41831d7__Types(): Types + + function Y$60c7bddc_b41831d7__Types(): Types + + function SCMPExternalInterfaceDown_840d9458_T_Types(): Types + + function SCMPTraceroute_840d9458_T_Types(): Types + + unique function Y$3191b69e_b41831d7__Types_tag(): Int + + function nilDecodeFeedback_b41831d7_T_Types(): Types + + function SCMPPacketTooBig_840d9458_T_Types(): Types + + function SCION_840d9458_T_Types(): Types + + unique function Y$60c7bddc_b41831d7__Types_tag(): Int + + unique function SCION_840d9458_T_Types_tag(): Int + + unique function SCMPCode_840d9458_T_Types_tag(): Int + + unique function Raw_daeaf66a_T_Types_tag(): Int + + unique function uint16_Types_tag(): Int + + function AS_cd675838_T_Types(): Types + + function slice_Types(p0: Types): Types + + unique function HostSVC_cd675838_T_Types_tag(): Int + + function Y$49c4c25f_d3743b4f__Types(): Types + + function integer_Types(): Types + + function bigEndian_72f0d887_T_Types(): Types + + function empty_interface_Types(): Types + + function LayerType_b41831d7_T_Types(): Types + + unique function SCMPType_840d9458_T_Types_tag(): Int + + unique function byte_Types_tag(): Int + + unique function SCMPInternalConnectivityDown_840d9458_T_Types_tag(): Int + + unique function Y$b28ae4_ac87dd1d__Types_tag(): Int + + function Y$53a71dc3_5c610647__Types(): Types + + function HopByHopExtnSkipper_840d9458_T_Types(): Types + + unique function EndToEndExtn_840d9458_T_Types_tag(): Int + + function SCMP_840d9458_T_Types(): Types + + function Raw_daeaf66a_T_Types(): Types + + function L4ProtocolType_840d9458_T_Types(): Types + + unique function SCMPTraceroute_840d9458_T_Types_tag(): Int + + unique function integer_Types_tag(): Int + + unique function rawPath_a6ceb89d_T_Types_tag(): Int + + unique function SCMPParameterProblem_840d9458_T_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + function UDPAddr_5c610647_T_Types(): Types + + unique function AddrType_840d9458_T_Types_tag(): Int + + function SCMPParameterProblem_840d9458_T_Types(): Types + + unique function Y$8f734176_14a7fb6d__Types_tag(): Int + + unique function littleEndian_72f0d887_T_Types_tag(): Int + + unique function Decoded_daeaf66a_T_Types_tag(): Int + + unique function SCMPExternalInterfaceDown_840d9458_T_Types_tag(): Int + + unique function Y$9127f611_b41831d7__Types_tag(): Int + + unique function pointer_Types_tag(): Int + + unique function L4ProtocolType_840d9458_T_Types_tag(): Int + + function Decoded_daeaf66a_T_Types(): Types + + unique function IPAddr_5c610647_T_Types_tag(): Int + + function Path_c385169_T_Types(): Types + + function Y$c2e55be_72f0d887__Types(): Types + + function BFD_6416454f_T_Types(): Types + + function pointer_Types(p0: Types): Types + + unique function HostIPv4_cd675838_T_Types_tag(): Int + + unique function string_Types_tag(): Int + + unique function slice_Types_tag(): Int + + unique function Y$53a71dc3_5c610647__Types_tag(): Int + + function Y$febd64e7_b41831d7__Types(): Types + + function Path_4cddb96f_T_Types(): Types + + unique function Y$c2e55be_72f0d887__Types_tag(): Int + + function SCMPCode_840d9458_T_Types(): Types + + function Y$558431e4_a6ceb89d__Types(): Types + + function Y$3191b69e_b41831d7__Types(): Types + + unique function Y$68d3cee9_b41831d7__Types_tag(): Int + + function EndToEndExtnSkipper_840d9458_T_Types(): Types + + unique function SCMPPacketTooBig_840d9458_T_Types_tag(): Int + + function SCMPInternalConnectivityDown_840d9458_T_Types(): Types + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + function Y$9127f611_b41831d7__Types(): Types + + unique function SCMPDestinationUnreachable_840d9458_T_Types_tag(): Int + + function IA_cd675838_T_Types(): Types + + unique function Y$9c78df5f_b41831d7__Types_tag(): Int + + function Y$b28ae4_ac87dd1d__Types(): Types + + unique function Y$35202e5_cd675838__Types_tag(): Int + + function HostSVC_cd675838_T_Types(): Types + + function HostIPv6_cd675838_T_Types(): Types + + function Y$35202e5_cd675838__Types(): Types + + function littleEndian_72f0d887_T_Types(): Types + + function HostIPv4_cd675838_T_Types(): Types + + function Y$6914870a_b41831d7__Types(): Types + + unique function UDPAddr_5c610647_T_Types_tag(): Int + + function EndToEndExtn_840d9458_T_Types(): Types + + unique function BFD_6416454f_T_Types_tag(): Int + + function SCMPType_840d9458_T_Types(): Types + + unique function Payload_b41831d7_T_Types_tag(): Int + + unique function Y$febd64e7_b41831d7__Types_tag(): Int + + unique function empty_interface_Types_tag(): Int + + unique function EndToEndExtnSkipper_840d9458_T_Types_tag(): Int + + unique function Path_4cddb96f_T_Types_tag(): Int + + function int_Types(): Types + + function Y$9c78df5f_b41831d7__Types(): Types + + function HopByHopExtn_840d9458_T_Types(): Types + + unique function AS_cd675838_T_Types_tag(): Int + + function byte_Types(): Types + + unique function SCMPEcho_840d9458_T_Types_tag(): Int + + unique function SCMPTypeCode_840d9458_T_Types_tag(): Int + + function get_0_pointer_Types(t: Types): Types + + axiom { + (forall x0: Types :: + { pointer_Types(x0) } + get_0_pointer_Types(pointer_Types(x0)) == x0) + } + + axiom { + tag_Types(rawPath_a6ceb89d_T_Types()) == rawPath_a6ceb89d_T_Types_tag() + } + + axiom { + tag_Types(SCION_840d9458_T_Types()) == SCION_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(HostSVC_cd675838_T_Types()) == true + } + + axiom { + tag_Types(HostSVC_cd675838_T_Types()) == HostSVC_cd675838_T_Types_tag() + } + + axiom { + tag_Types(Y$c2e55be_72f0d887__Types()) == + Y$c2e55be_72f0d887__Types_tag() + } + + axiom { + tag_Types(Y$3191b69e_b41831d7__Types()) == + Y$3191b69e_b41831d7__Types_tag() + } + + axiom { + tag_Types(IA_cd675838_T_Types()) == IA_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(Y$49c4c25f_d3743b4f__Types()) == false + } + + axiom { + tag_Types(Y$35202e5_cd675838__Types()) == + Y$35202e5_cd675838__Types_tag() + } + + axiom { + comparableType_Types(Y$b28ae4_ac87dd1d__Types()) == false + } + + axiom { + tag_Types(Path_c6e60a1d_T_Types()) == Path_c6e60a1d_T_Types_tag() + } + + axiom { + comparableType_Types(Y$c2e55be_72f0d887__Types()) == false + } + + axiom { + comparableType_Types(rawPath_a6ceb89d_T_Types()) == true + } + + axiom { + comparableType_Types(Path_c385169_T_Types()) == true + } + + axiom { + comparableType_Types(Decoded_daeaf66a_T_Types()) == true + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + comparableType_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(SCMP_840d9458_T_Types()) == SCMP_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + SCMPInternalConnectivityDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$53a71dc3_5c610647__Types()) == + Y$53a71dc3_5c610647__Types_tag() + } + + axiom { + tag_Types(byte_Types()) == byte_Types_tag() + } + + axiom { + comparableType_Types(Path_c6e60a1d_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(string_Types()) == true + } + + axiom { + comparableType_Types(littleEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(LayerType_b41831d7_T_Types()) == true + } + + axiom { + comparableType_Types(HopByHopExtn_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$68d3cee9_b41831d7__Types()) == false + } + + axiom { + tag_Types(Raw_daeaf66a_T_Types()) == Raw_daeaf66a_T_Types_tag() + } + + axiom { + tag_Types(Y$9127f611_b41831d7__Types()) == + Y$9127f611_b41831d7__Types_tag() + } + + axiom { + tag_Types(AS_cd675838_T_Types()) == AS_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(int_Types()) == true + } + + axiom { + tag_Types(Y$68d3cee9_b41831d7__Types()) == + Y$68d3cee9_b41831d7__Types_tag() + } + + axiom { + tag_Types(nilDecodeFeedback_b41831d7_T_Types()) == + nilDecodeFeedback_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(EndToEndExtn_840d9458_T_Types()) == + EndToEndExtn_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(IA_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(Y$6914870a_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(SCMPPacketTooBig_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$3191b69e_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(byte_Types()) == true + } + + axiom { + tag_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + SCMPExternalInterfaceDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$b28ae4_ac87dd1d__Types()) == Y$b28ae4_ac87dd1d__Types_tag() + } + + axiom { + comparableType_Types(IPAddr_5c610647_T_Types()) == true + } + + axiom { + tag_Types(HostIPv6_cd675838_T_Types()) == + HostIPv6_cd675838_T_Types_tag() + } + + axiom { + tag_Types(HopByHopExtn_840d9458_T_Types()) == + HopByHopExtn_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPCode_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(nilDecodeFeedback_b41831d7_T_Types()) == true + } + + axiom { + comparableType_Types(AddrType_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(UDPAddr_5c610647_T_Types()) == true + } + + axiom { + tag_Types(SCMPPacketTooBig_840d9458_T_Types()) == + SCMPPacketTooBig_840d9458_T_Types_tag() + } + + axiom { + (forall p0: Types :: + { pointer_Types(p0) } + tag_Types(pointer_Types(p0)) == pointer_Types_tag()) + } + + axiom { + tag_Types(SCMPCode_840d9458_T_Types()) == + SCMPCode_840d9458_T_Types_tag() + } + + axiom { + tag_Types(integer_Types()) == integer_Types_tag() + } + + axiom { + comparableType_Types(Raw_daeaf66a_T_Types()) == true + } + + axiom { + comparableType_Types(Y$9c78df5f_b41831d7__Types()) == false + } + + axiom { + tag_Types(LayerType_b41831d7_T_Types()) == + LayerType_b41831d7_T_Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + comparableType_Types(SCMPType_840d9458_T_Types()) == true + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + tag_Types(Y$febd64e7_b41831d7__Types()) == + Y$febd64e7_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(HostNone_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(HostIPv6_cd675838_T_Types()) == false + } + + axiom { + (forall p0: Types :: + { comparableType_Types(slice_Types(p0)) } + comparableType_Types(slice_Types(p0)) == false) + } + + axiom { + tag_Types(Path_c385169_T_Types()) == Path_c385169_T_Types_tag() + } + + axiom { + comparableType_Types(Y$febd64e7_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(Y$8f734176_14a7fb6d__Types()) == false + } + + axiom { + comparableType_Types(uint16_Types()) == true + } + + axiom { + tag_Types(HostNone_cd675838_T_Types()) == + HostNone_cd675838_T_Types_tag() + } + + axiom { + tag_Types(UDPAddr_5c610647_T_Types()) == UDPAddr_5c610647_T_Types_tag() + } + + axiom { + tag_Types(Payload_b41831d7_T_Types()) == Payload_b41831d7_T_Types_tag() + } + + axiom { + comparableType_Types(EndToEndExtn_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPType_840d9458_T_Types()) == + SCMPType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(EndToEndExtnSkipper_840d9458_T_Types()) == + EndToEndExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(AS_cd675838_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { comparableType_Types(pointer_Types(p0)) } + comparableType_Types(pointer_Types(p0)) == true) + } + + axiom { + comparableType_Types(SCMPParameterProblem_840d9458_T_Types()) == true + } + + axiom { + tag_Types(HostIPv4_cd675838_T_Types()) == + HostIPv4_cd675838_T_Types_tag() + } + + axiom { + tag_Types(HopByHopExtnSkipper_840d9458_T_Types()) == + HopByHopExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$6914870a_b41831d7__Types()) == + Y$6914870a_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(L4ProtocolType_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$558431e4_a6ceb89d__Types()) == false + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } + + axiom { + tag_Types(string_Types()) == string_Types_tag() + } + + axiom { + tag_Types(Decoded_daeaf66a_T_Types()) == Decoded_daeaf66a_T_Types_tag() + } + + axiom { + tag_Types(bigEndian_72f0d887_T_Types()) == + bigEndian_72f0d887_T_Types_tag() + } + + axiom { + tag_Types(L4ProtocolType_840d9458_T_Types()) == + L4ProtocolType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$49c4c25f_d3743b4f__Types()) == + Y$49c4c25f_d3743b4f__Types_tag() + } + + axiom { + comparableType_Types(Y$9127f611_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(HostIPv4_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(Y$17800ab4_b41831d7__Types()) == false + } + + axiom { + tag_Types(SCMPTypeCode_840d9458_T_Types()) == + SCMPTypeCode_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + SCMPDestinationUnreachable_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$17800ab4_b41831d7__Types()) == + Y$17800ab4_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$558431e4_a6ceb89d__Types()) == + Y$558431e4_a6ceb89d__Types_tag() + } + + axiom { + tag_Types(BFD_6416454f_T_Types()) == BFD_6416454f_T_Types_tag() + } + + axiom { + comparableType_Types(Y$60c7bddc_b41831d7__Types()) == false + } + + axiom { + tag_Types(uint16_Types()) == uint16_Types_tag() + } + + axiom { + comparableType_Types(BFD_6416454f_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPEcho_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(EndToEndExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCION_840d9458_T_Types()) == true + } + + axiom { + tag_Types(int_Types()) == int_Types_tag() + } + + axiom { + comparableType_Types(SCMPTypeCode_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Path_4cddb96f_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPTraceroute_840d9458_T_Types()) == true + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + (forall p0: Types :: + { slice_Types(p0) } + tag_Types(slice_Types(p0)) == slice_Types_tag()) + } + + axiom { + comparableType_Types(SCMP_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$53a71dc3_5c610647__Types()) == false + } + + axiom { + tag_Types(AddrType_840d9458_T_Types()) == + AddrType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCMPParameterProblem_840d9458_T_Types()) == + SCMPParameterProblem_840d9458_T_Types_tag() + } + + axiom { + tag_Types(littleEndian_72f0d887_T_Types()) == + littleEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(bigEndian_72f0d887_T_Types()) == true + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + tag_Types(IPAddr_5c610647_T_Types()) == IPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(Y$35202e5_cd675838__Types()) == false + } + + axiom { + tag_Types(SCMPTraceroute_840d9458_T_Types()) == + SCMPTraceroute_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$60c7bddc_b41831d7__Types()) == + Y$60c7bddc_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$9c78df5f_b41831d7__Types()) == + Y$9c78df5f_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(integer_Types()) == true + } + + axiom { + tag_Types(Y$8f734176_14a7fb6d__Types()) == + Y$8f734176_14a7fb6d__Types_tag() + } + + axiom { + tag_Types(Path_4cddb96f_T_Types()) == Path_4cddb96f_T_Types_tag() + } + + axiom { + comparableType_Types(HopByHopExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + comparableType_Types(Payload_b41831d7_T_Types()) == false + } + + axiom { + tag_Types(SCMPEcho_840d9458_T_Types()) == + SCMPEcho_840d9458_T_Types_tag() + } +} + +domain Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ { + + +} + +domain Emb_1_Intbyte$$$_S_$$$ { + + +} + +domain Emb_2_Intuint8$$$_S_$$$ { + + +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function scap(s: Slice[T]): Int + + function soffset(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + function slen(s: Slice[T]): Int + + axiom deconstructor_over_constructor_array { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a) + } + + axiom { + (forall s: Slice[T] :: + { (soffset(s): Int), (scap(s): Int) } + { (ShArraylen((sarray(s): ShArray[T])): Int) } + (soffset(s): Int) + (scap(s): Int) <= + (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom deconstructor_over_constructor_len { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (slen((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (slen((smake(a, o, l, c): Slice[T])): Int) == l) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: + { (slen(s): Int) } + { (scap(s): Int) } + (slen(s): Int) <= (scap(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom deconstructor_over_constructor_offset { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (soffset((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (soffset((smake(a, o, l, c): Slice[T])): Int) == o) + } + + axiom deconstructor_over_constructor_cap { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (scap((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (scap((smake(a, o, l, c): Slice[T])): Int) == c) + } + + axiom { + (forall s: Slice[T] :: + { (sarray(s): ShArray[T]) } + { (soffset(s): Int) } + { (slen(s): Int) } + { (scap(s): Int) } + s == + (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain ShStruct6[T0, T1, T2, T3, T4, T5] { + + function ShStructget1of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T1 + + function ShStructget0of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T0 + + function ShStructrev3of6(v3: T3): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev4of6(v4: T4): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget5of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T5 + + function ShStructget3of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T3 + + function ShStructget2of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T2 + + function ShStructrev0of6(v0: T0): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev2of6(v2: T2): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev1of6(v1: T1): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev5of6(v5: T5): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget4of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T4 + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget3of6(x): T3) } + (ShStructrev3of6((ShStructget3of6(x): T3)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget1of6(x): T1) } + (ShStructrev1of6((ShStructget1of6(x): T1)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5], y: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of6(x): T0) == (ShStructget0of6(y): T0) && + (ShStructget1of6(x): T1) == (ShStructget1of6(y): T1) && + (ShStructget2of6(x): T2) == (ShStructget2of6(y): T2) && + (ShStructget3of6(x): T3) == (ShStructget3of6(y): T3) && + (ShStructget4of6(x): T4) == (ShStructget4of6(y): T4) && + (ShStructget5of6(x): T5) == (ShStructget5of6(y): T5))) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget0of6(x): T0) } + (ShStructrev0of6((ShStructget0of6(x): T0)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget2of6(x): T2) } + (ShStructrev2of6((ShStructget2of6(x): T2)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget5of6(x): T5) } + (ShStructrev5of6((ShStructget5of6(x): T5)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget4of6(x): T4) } + (ShStructrev4of6((ShStructget4of6(x): T4)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraysecond(r: T): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraylen(a: ShArray[T]): Int + + axiom { + (forall a: ShArray[T] :: + { (ShArraylen(a): Int) } + (ShArraylen(a): Int) >= 0) + } + + axiom { + (forall a: ShArray[T], i: Int :: + { (ShArrayloc(a, i): T) } + 0 <= i && i < (ShArraylen(a): Int) ==> + (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && + (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget4of5(x): T4) } + (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget1of5(x): T1) } + (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && + (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && + (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && + (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && + (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget3of5(x): T3) } + (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget2of5(x): T2) } + (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget0of5(x): T0) } + (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget1of4(x): T1) } + (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget3of4(x): T3) } + (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget0of4(x): T0) } + (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && + (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && + (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && + (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget2of4(x): T2) } + (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == + x) + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Emb_3_Intuint8$$$_S_$$$ { + + +} + +domain Tuple0 { + + +} + +domain Emb_6_Intbyte$$$_S_$$$ { + + +} + +domain Emb_4_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain ComparableInterfaceDomain { + + function comparableInterface(i: Tuple2[Ref, Types]): Bool + + axiom { + (forall i: Tuple2[Ref, Types] :: + { comparableInterface(i) } + comparableType_Types((get1of2(i): Types)) ==> comparableInterface(i)) + } +} + +domain Poly[T] { + + function box_Poly(x: T): Ref + + function unbox_Poly(y: Ref): T + + axiom { + (forall x: T :: + { (box_Poly(x): Ref) } + (unbox_Poly((box_Poly(x): Ref)): T) == x) + } +} + +domain String { + + unique function stringLit61646472(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e(): Int + + unique function stringLit5765646e6573646179(): Int + + unique function stringLit5468757273646179(): Int + + unique function stringLit556e6b6e6f776e4e65787448647254797065(): Int + + unique function stringLit496e76616c6964536f7572636541646472657373(): Int + + unique function stringLit45787465726e616c496e74657266616365446f776e(): Int + + unique function stringLit736f757263652061646472657373206d697373696e67(): Int + + unique function stringLit6970(): Int + + unique function stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e(): Int + + unique function stringLit556e6b6e6f776e486f704279486f704f7074696f6e(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e20(): Int + + unique function stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468(): Int + + unique function stringLit44657374696e6174696f6e556e726561636861626c65(): Int + + unique function stringLit62756666657220746f6f2073686f7274(): Int + + unique function stringLit5472616365726f7574655265706c79(): Int + + unique function stringLit496e76616c6964457874656e73696f6e486561646572(): Int + + unique function stringLit5343494f4e20686561646572206d697373696e67(): Int + + unique function stringLit616464724864724c656e(): Int + + unique function stringLit6d696e696e756d5f6c65677468(): Int + + unique function stringLit4e6f6e65(): Int + + unique function stringLit4f63746f626572(): Int + + unique function stringLit5061746845787069726564(): Int + + unique function stringLit4563686f5265706c79(): Int + + unique function stringLit6864724279746573(): Int + + unique function stringLit496e76616c6964486f704669656c644d4143(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit496e76616c69645365676d656e744368616e6765(): Int + + unique function stringLit5061636b6574546f6f426967(): Int + + unique function stringLit62696e6172792e4c6974746c65456e6469616e(): Int + + unique function stringLit424644(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032(): Int + + unique function stringLit496e76616c69645061636b657453697a65(): Int + + unique function stringLit5472616365726f75746552657175657374(): Int + + unique function stringLit556e6b6e6f776e5061746854797065(): Int + + unique function stringLit257328257329(): Int + + unique function stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e(): Int + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit456e6432456e64(): Int + + unique function stringLit4c6974746c65456e6469616e(): Int + + unique function stringLit4d6179(): Int + + unique function stringLit486f704279486f70(): Int + + unique function stringLit686561646572206c656e6774682065786365656473206d6178696d756d(): Int + + unique function stringLit6d6178(): Int + + unique function stringLit4a616e75617279(): Int + + unique function stringLit417072696c(): Int + + unique function stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564(): Int + + unique function stringLit256428256429(): Int + + unique function stringLit4a756e65(): Int + + unique function stringLit467269646179(): Int + + unique function stringLit506172616d6574657250726f626c656d(): Int + + unique function stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572(): Int + + unique function stringLit53657074656d626572(): Int + + unique function stringLit64657374696e6174696f6e2061646472657373206d697373696e67(): Int + + unique function stringLit496e7465726e616c436f6e6e6563746976697479446f776e(): Int + + unique function stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit426967456e6469616e(): Int + + unique function stringLit417567757374(): Int + + unique function stringLit4665627275617279(): Int + + unique function stringLit446563656d626572(): Int + + unique function stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034(): Int + + unique function stringLit556e6b6e6f776e41646472657373466f726d6174(): Int + + unique function stringLit496e76616c6964436f6d6d6f6e486561646572(): Int + + unique function stringLit6c656e(): Int + + unique function stringLit53756e646179(): Int + + unique function stringLit556e6b6e6f776e5343494f4e56657273696f6e(): Int + + unique function stringLit6d696e696d756d(): Int + + unique function stringLit4e6f6e4c6f63616c44656c6976657279(): Int + + unique function stringLit554e4b4e4f574e2028256429(): Int + + unique function stringLit436d644864724c656e(): Int + + unique function stringLit5361747572646179(): Int + + unique function stringLit6578706563746564(): Int + + unique function stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468(): Int + + unique function stringLit257328436f64653a20256429(): Int + + unique function stringLit6d696e(): Int + + unique function stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(): Int + + unique function stringLit4572726f6e656f75734865616465724669656c64(): Int + + unique function stringLit466c6f7749445265717569726564(): Int + + unique function stringLit4d6f6e646179(): Int + + unique function stringLit4a756c79(): Int + + unique function stringLit756470(): Int + + unique function stringLit4563686f52657175657374(): Int + + unique function stringLit(): Int + + unique function stringLit756e737570706f727465642061646472657373(): Int + + unique function stringLit496e76616c696450617468(): Int + + unique function stringLit54756573646179(): Int + + unique function stringLit544350(): Int + + unique function stringLit4e6f76656d626572(): Int + + unique function stringLit556e6b6e6f776e456e64546f456e644f7074696f6e(): Int + + unique function stringLit74797065(): Int + + unique function stringLit496e76616c696441646472657373486561646572(): Int + + unique function stringLit2573282564295c6e5061796c6f61643a202573(): Int + + unique function stringLit53434d50(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365(): Int + + unique function stringLit4f7074696f6e206e6f7420666f756e64(): Int + + unique function stringLit4d61726368(): Int + + unique function stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573(): Int + + unique function stringLit61637475616c(): Int + + unique function stringLit62696e6172792e426967456e6469616e(): Int + + unique function stringLit554450(): Int + + unique function stringLit496e76616c696444657374696e6174696f6e41646472657373(): Int + + axiom { + strLen(stringLit5061746845787069726564()) == 11 + } + + axiom { + strLen(stringLit74797065()) == 4 + } + + axiom { + strLen(stringLit6578706563746564()) == 8 + } + + axiom { + strLen(stringLit756470()) == 3 + } + + axiom { + strLen(stringLit436d644864724c656e()) == 9 + } + + axiom { + strLen(stringLit62696e6172792e426967456e6469616e()) == 16 + } + + axiom { + strLen(stringLit496e76616c696441646472657373486561646572()) == 20 + } + + axiom { + strLen(stringLit257328436f64653a20256429()) == 12 + } + + axiom { + strLen(stringLit4563686f52657175657374()) == 11 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit496e76616c6964457874656e73696f6e486561646572()) == 22 + } + + axiom { + strLen(stringLit686561646572206c656e6774682065786365656473206d6178696d756d()) == + 29 + } + + axiom { + strLen(stringLit4d61726368()) == 5 + } + + axiom { + strLen(stringLit467269646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032()) == + 47 + } + + axiom { + strLen(stringLit61637475616c()) == 6 + } + + axiom { + strLen(stringLit62696e6172792e4c6974746c65456e6469616e()) == 19 + } + + axiom { + strLen(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c()) == + 28 + } + + axiom { + strLen(stringLit554450()) == 3 + } + + axiom { + strLen(stringLit426967456e6469616e()) == 9 + } + + axiom { + strLen(stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e()) == + 32 + } + + axiom { + strLen(stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572()) == + 47 + } + + axiom { + strLen(stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573()) == + 38 + } + + axiom { + strLen(stringLit4a616e75617279()) == 7 + } + + axiom { + strLen(stringLit4d6179()) == 3 + } + + axiom { + strLen(stringLit756e737570706f727465642061646472657373()) == 19 + } + + axiom { + strLen(stringLit4f63746f626572()) == 7 + } + + axiom { + strLen(stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564()) == + 39 + } + + axiom { + strLen(stringLit44657374696e6174696f6e556e726561636861626c65()) == 22 + } + + axiom { + strLen(stringLit496e7465726e616c436f6e6e6563746976697479446f776e()) == + 24 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365()) == + 30 + } + + axiom { + strLen(stringLit466c6f7749445265717569726564()) == 14 + } + + axiom { + strLen(stringLit4a756c79()) == 4 + } + + axiom { + strLen(stringLit424644()) == 3 + } + + axiom { + strLen(stringLit486f704279486f70()) == 8 + } + + axiom { + strLen(stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034()) == + 51 + } + + axiom { + strLen(stringLit53434d50()) == 4 + } + + axiom { + strLen(stringLit556e6b6e6f776e5061746854797065()) == 15 + } + + axiom { + strLen(stringLit456e6432456e64()) == 7 + } + + axiom { + strLen(stringLit5361747572646179()) == 8 + } + + axiom { + strLen(stringLit496e76616c6964436f6d6d6f6e486561646572()) == 19 + } + + axiom { + strLen(stringLit556e6b6e6f776e5343494f4e56657273696f6e()) == 19 + } + + axiom { + strLen(stringLit446563656d626572()) == 8 + } + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + strLen(stringLit5468757273646179()) == 8 + } + + axiom { + strLen(stringLit6970()) == 2 + } + + axiom { + strLen(stringLit62756666657220746f6f2073686f7274()) == 16 + } + + axiom { + strLen(stringLit554e4b4e4f574e2028256429()) == 12 + } + + axiom { + strLen(stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit5472616365726f7574655265706c79()) == 15 + } + + axiom { + strLen(stringLit64657374696e6174696f6e2061646472657373206d697373696e67()) == + 27 + } + + axiom { + strLen(stringLit256428256429()) == 6 + } + + axiom { + strLen(stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468()) == + 47 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e()) == + 52 + } + + axiom { + strLen(stringLit53657074656d626572()) == 9 + } + + axiom { + strLen(stringLit4563686f5265706c79()) == 9 + } + + axiom { + strLen(stringLit5061636b6574546f6f426967()) == 12 + } + + axiom { + strLen(stringLit496e76616c696450617468()) == 11 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365()) == + 31 + } + + axiom { + strLen(stringLit2573282564295c6e5061796c6f61643a202573()) == 19 + } + + axiom { + strLen(stringLit257328257329()) == 6 + } + + axiom { + strLen(stringLit4665627275617279()) == 8 + } + + axiom { + strLen(stringLit417072696c()) == 5 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e20()) == + 26 + } + + axiom { + strLen(stringLit4f7074696f6e206e6f7420666f756e64()) == 16 + } + + axiom { + strLen(stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468()) == + 55 + } + + axiom { + strLen(stringLit53756e646179()) == 6 + } + + axiom { + strLen(stringLit45787465726e616c496e74657266616365446f776e()) == 21 + } + + axiom { + strLen(stringLit4e6f76656d626572()) == 8 + } + + axiom { + strLen(stringLit556e6b6e6f776e41646472657373466f726d6174()) == 20 + } + + axiom { + strLen(stringLit54756573646179()) == 7 + } + + axiom { + strLen(stringLit4d6f6e646179()) == 6 + } + + axiom { + strLen(stringLit556e6b6e6f776e456e64546f456e644f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit496e76616c696444657374696e6174696f6e41646472657373()) == + 25 + } + + axiom { + strLen(stringLit6d696e()) == 3 + } + + axiom { + strLen(stringLit6d6178()) == 3 + } + + axiom { + strLen(stringLit4e6f6e4c6f63616c44656c6976657279()) == 16 + } + + axiom { + strLen(stringLit5472616365726f75746552657175657374()) == 17 + } + + axiom { + strLen(stringLit496e76616c6964536f7572636541646472657373()) == 20 + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704279486f704f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit616464724864724c656e()) == 10 + } + + axiom { + strLen(stringLit4572726f6e656f75734865616465724669656c64()) == 20 + } + + axiom { + strLen(stringLit4a756e65()) == 4 + } + + axiom { + strLen(stringLit417567757374()) == 6 + } + + axiom { + strLen(stringLit61646472()) == 4 + } + + axiom { + strLen(stringLit4c6974746c65456e6469616e()) == 12 + } + + axiom { + strLen(stringLit4e6f6e65()) == 4 + } + + axiom { + strLen(stringLit6d696e696d756d()) == 7 + } + + axiom { + strLen(stringLit496e76616c69645061636b657453697a65()) == 17 + } + + axiom { + strLen(stringLit736f757263652061646472657373206d697373696e67()) == 22 + } + + axiom { + strLen(stringLit6c656e()) == 3 + } + + axiom { + strLen(stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e()) == + 43 + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit5343494f4e20686561646572206d697373696e67()) == 20 + } + + axiom { + strLen(stringLit496e76616c6964486f704669656c644d4143()) == 18 + } + + axiom { + strLen(stringLit556e6b6e6f776e4e65787448647254797065()) == 18 + } + + axiom { + strLen(stringLit5765646e6573646179()) == 9 + } + + axiom { + strLen(stringLit544350()) == 3 + } + + axiom { + strLen(stringLit6d696e696e756d5f6c65677468()) == 13 + } + + axiom { + strLen(stringLit506172616d6574657250726f626c656d()) == 16 + } + + axiom { + strLen(stringLit496e76616c69645365676d656e744368616e6765()) == 20 + } + + axiom { + strLen(stringLit6864724279746573()) == 8 + } +} + +domain PolyAdditionalAxioms { + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == nilDecodeFeedback_b41831d7_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == Path_4cddb96f_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct0) } + (box_Poly((unbox_Poly(y): ShStruct0)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Int) } + (box_Poly((unbox_Poly(y): Int)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[Ref, Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Slice[Ref]) } + (box_Poly((unbox_Poly(y): Slice[Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref) == + y) + } +} + +field Intuint16$$$$_E_$$$: Int + +field Bool$$$$_E_$$$: Bool + +field SliceIntbyte$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint32$$$$_E_$$$: Int + +field SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + +field SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Intuint64$$$$_E_$$$: Int + +field DefinedPath_a6ceb89d_T$$$$_E_$$$: Tuple2[Ref, Types] + +field DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$: Int + +field Intuint8$$$$_E_$$$: Int + +field DefinedType_a6ceb89d_T$$$$_E_$$$: Int + +field PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + +field SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + +field PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field Interfaceempty_interface$$$$_E_$$$: Tuple2[Ref, Types] + +field SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$: Slice[ShStruct4[Ref, Ref, Ref, Ref]] + +field PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$] + +field DefinedAddrType_840d9458_T$$$$_E_$$$: Int + +field DefinedIA_cd675838_T$$$$_E_$$$: Int + +field Intbyte$$$$_E_$$$: Int + +field Intint$$$$_E_$$$: Int + +field DefinedL4ProtocolType_840d9458_T$$$$_E_$$$: Int + +// decreases _ +function sliceDefault_Intbyte$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_1_Intbyte$$$_S_$$$())) + + +// decreases _ +function shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$(): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$] + ensures (ShStructget0of3(result): Ref) == null && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Emb_3_Intuint8$$$_S_$$$) == + box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(arrayNil_3_Intuint8$$$_S_$$$()) + + +// decreases +function addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Int + requires acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + ensures 0 <= result +{ + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) +} + +// decreases +function assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(b: Bool, + y: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMBase(s_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(s_V0), wildcard) + ensures result >= 4 + ensures result == + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +{ + (unfolding acc(Mem_daeaf66a_PMBase(s_V0), wildcard) in + 4 + (ShStructget1of3(s_V0): Ref).Intint$$$$_E_$$$ * 8 + + (ShStructget2of3(s_V0): Ref).Intint$$$$_E_$$$ * 12) +} + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_4_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 4 || + result == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_4_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 4 || + x == arrayNil_4_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases +function assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(b: Bool, y: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref] + requires b +{ + y +} + +// decreases +function Length_840d9458_MAddrType(tl_V0: Int): Int + ensures result == 4 * (1 + BitAnd3_ca158f5e_F(tl_V0)) + ensures tl_V0 == 0 ==> result == 4 + ensures tl_V0 == 4 ==> result == 4 + ensures tl_V0 == 3 ==> result == 4 * 4 +{ + 4 * (1 + intBitwiseAnd(tl_V0, 3)) +} + +// decreases _ +function Len_c385169_PMPath(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + ensures result == 32 +{ + 32 +} + +// decreases +function getPathPure_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + pathType_V0: Int): Tuple2[Ref, Types] + requires 0 <= pathType_V0 && pathType_V0 < 256 + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) && + acc((ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, wildcard) + requires !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) + requires acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) +{ + (pathType_V0 < + (slen((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ? + (unfolding acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, pathType_V0), wildcard) in + (ShArrayloc((sarray((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + pathType_V0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) : + (ShStructget16of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) +} + +// decreases _ +function arrayNil_1_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function arrayNil_3_Intuint8$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function assertArg2_Tuple0(b: Bool, y: Tuple0): Tuple0 + requires b +{ + y +} + +// decreases +function PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c6e60a1d_PMPath(p_V0, ubuf_V0) +} + +// decreases _ +function box_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_2_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 2 || + x == arrayNil_2_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases _ +function intBitwiseOr(left: Int, right: Int): Int + + +// decreases _ +function shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref] + ensures (ShStructget0of2(result): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) == + shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$() && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_3_Intuint8$$$_S_$$$ + requires (ShArraylen(x): Int) == 3 || x == arrayNil_3_Intuint8$$$_S_$$$() + ensures unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases _ +function intBitwiseAnd(left: Int, right: Int): Int + + +// decreases +function UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf: Tuple2[Ref, Types]): Slice[Ref] + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(thisItf), wildcard) + + +// decreases _ +function shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[Ref, Ref] + ensures (ShStructget0of2(result): Ref) == null && + (ShStructget1of2(result): Ref) == null + + +// decreases +function BitAnd3_ca158f5e_F(b_V0: Int): Int + ensures 0 <= intBitwiseAnd(b_V0, 3) && intBitwiseAnd(b_V0, 3) <= 3 + ensures b_V0 == 0 ==> result == 0 + ensures b_V0 == 3 ==> result == 3 + ensures b_V0 == 4 ==> result == 0 + ensures result == intBitwiseAnd(b_V0, 3) + + +// decreases _ +function shStructDefault_$PathMetaA_DefinedMetaHdr_daeaf66a_T$$$_S_$$$_NumINFA_Intint$$$_S_$$$_NumHopsA_Intint$$$_S_$$$$(): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref] + ensures (ShStructget0of3(result): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$]) == + shStructDefault_$CurrINFA_Intuint8$$$_S_$$$_CurrHFA_Intuint8$$$_S_$$$_SegLenA_Array3Intuint8$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of3(result): Ref) == null && + (ShStructget2of3(result): Ref) == null + + +// decreases _ +function intShiftLeft(left: Int, right: Int): Int + requires right >= 0 + + +// decreases +function assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(b: Bool, + y: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]] + requires b +{ + y +} + +// decreases _ +function shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$(): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures (ShStructget0of17(result): ShStruct2[Ref, Ref]) == + shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of17(result): Ref) == null && + (ShStructget2of17(result): Ref) == null && + (ShStructget3of17(result): Ref) == null && + (ShStructget4of17(result): Ref) == null && + (ShStructget5of17(result): Ref) == null && + (ShStructget6of17(result): Ref) == null && + (ShStructget7of17(result): Ref) == null && + (ShStructget8of17(result): Ref) == null && + (ShStructget9of17(result): Ref) == null && + (ShStructget10of17(result): Ref) == null && + (ShStructget11of17(result): Ref) == null && + (ShStructget12of17(result): Ref) == null && + (ShStructget13of17(result): Ref) == null && + (ShStructget14of17(result): Ref) == null && + (ShStructget15of17(result): Ref) == null && + (ShStructget16of17(result): Ref) == null + + +function ssliceFromArray_Ref(a: ShArray[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (ShArraylen(a): Int) + ensures (soffset(result): Int) == i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (ShArraylen(a): Int) - i + ensures (sarray(result): ShArray[Ref]) == a + + +// decreases _ +function Len_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures !hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> result == 16 + ensures hasScionPath_c6e60a1d_PMPath(p_V0, ubuf_V0) ==> + result == + 16 + + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMRaw((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, + ssliceFromSlice_Ref(ubuf_V0, 16, (slen(ubuf_V0): Int)))) + + +// decreases +function Has3Bits_840d9458_MAddrType(a_V0: Int): Bool +{ + 0 <= a_V0 && a_V0 <= 7 +} + +// decreases _ +function arrayNil_2_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function ssliceFromSlice_Ref(s: Slice[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (scap(s): Int) + ensures (soffset(result): Int) == (soffset(s): Int) + i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (scap(s): Int) - i + ensures (sarray(result): ShArray[Ref]) == (sarray(s): ShArray[Ref]) + + +// decreases _ +function Len_daeaf66a_PMRaw(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of2(s_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases _ +function unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_2_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 2 || + result == arrayNil_2_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases +function PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(s_V0: ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref], + buf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(s_V0): Ref), pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMRaw(s_V0, buf_V0) +} + +// decreases +function AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + (unfolding acc(HeaderMem_840d9458_PMSCION(s_V0, ssliceFromSlice_Ref(ubuf_V0, + 12, (slen(ubuf_V0): Int))), wildcard) in + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$))) +} + +// decreases _ +function typeOfInterface_Y$558431e4_a6ceb89d_(itf: Tuple2[Ref, Types]): Types + ensures result == (get1of2(itf): Types) + ensures behavioral_subtype_Types(result, Y$558431e4_a6ceb89d__Types()) + + +// decreases _ +function sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$())) + + +// decreases _ +function unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(y: Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases +function assertArg2_ShStruct2_RefRef(b: Bool, y: ShStruct2[Ref, Ref]): ShStruct2[Ref, Ref] + requires b +{ + y +} + +// decreases +function IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf), wildcard) + + +// decreases _ +function box_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || + x == arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$() + ensures unbox_Emb_1_DefinedPath_a6ceb89d_T$$$_S_$$$_ShArray_Ref(result) == + x + + +function HasOneHopPath_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ub_V0: Slice[Ref]): Bool + requires acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ub_V0), wildcard) +{ + (unfolding acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ub_V0), wildcard) in + typeOfInterface_Y$558431e4_a6ceb89d_((ShStructget14of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types())) +} + +// decreases _ +function unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(y: Emb_4_Interfaceempty_interface$$$$_E_$$$): Seq[Tuple2[Ref, Types]] + ensures |result| == 4 + ensures box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + y + + +// decreases _ +function arrayNil_4_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), pointer_Types(Path_c385169_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_c385169_PMPath(o_V0, ubuf_V0) +} + +// decreases +function getNumHops_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases +function getNumINF_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]): Int + requires acc(Mem_daeaf66a_PMBase(b_V0), wildcard) + ensures 0 <= result && result <= 3 +{ + (unfolding acc(Mem_daeaf66a_PMBase(b_V0), wildcard) in + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +// decreases _ +function Len_4cddb96f_MPath(o_V0: Tuple0, underlyingBuf_V0: Slice[Ref]): Int + ensures 0 <= result +{ + 0 +} + +// decreases _ +function box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(x: Seq[Tuple2[Ref, Types]]): Emb_4_Interfaceempty_interface$$$$_E_$$$ + requires |x| == 4 + ensures unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + x + + +// decreases _ +function box_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(x: Seq[Tuple2[Ref, Types]]): Emb_2_Interfaceempty_interface$$$$_E_$$$ + requires |x| == 2 + ensures unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + x + + +// decreases _ +function unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(y: Emb_2_Interfaceempty_interface$$$$_E_$$$): Seq[Tuple2[Ref, Types]] + ensures |result| == 2 + ensures box_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + y + + +// decreases _ +function Len_a6ceb89d_PMrawPath(p_V0: ShStruct2[Ref, Ref], underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) in + (slen((ShStructget0of2(p_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) +} + +// decreases _ +function Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf: Tuple2[Ref, Types], + underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 + + +// decreases _ +function arrayNil_1_DefinedPath_a6ceb89d_T$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases +function hasScionPath_c6e60a1d_PMPath(p_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + buf_V0: Slice[Ref]): Bool + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) + ensures result == + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(Path_c6e60a1d_T_Types())): Tuple2[Ref, Types]), + buf_V0), wildcard) in + !((ShStructget3of4(p_V0): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$())) +} + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +// decreases +function pathPoolInitialized_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]): Bool + requires acc((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, wildcard) +{ + !((ShStructget15of17(s_V0): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) +} + +// decreases +function PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(p_V0: ShStruct2[Ref, Ref], + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(p_V0): Ref), pointer_Types(rawPath_a6ceb89d_T_Types())): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_a6ceb89d_PMrawPath(p_V0, underlyingBuf_V0) +} + +// decreases +function Len_a6ceb89d_SY$558431e4_a6ceb89d_(thisItf: Tuple2[Ref, Types], underlyingBuf_V0: Slice[Ref]): Int + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), wildcard) + ensures (get1of2(thisItf): Types) == Path_4cddb96f_T_Types() ==> + result == + DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): Tuple0), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ==> + result == + PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c385169_T_Types()) ==> + result == + PointerDefinedPath_c385169_T$$$_S_$$$$$$$_E_$$$_Len_c385169_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Path_c6e60a1d_T_Types()) ==> + result == + PointerDefinedPath_c6e60a1d_T$$$_S_$$$$$$$_E_$$$_Len_c6e60a1d_PMPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(Raw_daeaf66a_T_Types()) ==> + result == + PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMRaw_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]), + underlyingBuf_V0) + ensures (get1of2(thisItf): Types) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ==> + result == + PointerDefinedrawPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$_Len_a6ceb89d_PMrawPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof((unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref]), + underlyingBuf_V0) + ensures result >= 0 +{ + (true ? + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(rawPath_a6ceb89d_T_Types()) ? + Len_a6ceb89d_PMrawPath(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(rawPath_a6ceb89d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Raw_daeaf66a_T_Types()) ? + Len_daeaf66a_PMRaw(assertArg2_ShStruct2_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Raw_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c6e60a1d_T_Types()) ? + Len_c6e60a1d_PMPath(assertArg2_ShStruct4_ShStruct2_RefRefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c6e60a1d_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Path_c385169_T_Types()) ? + Len_c385169_PMPath(assertArg2_ShStruct3_ShStruct4_RefRefRefRefShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$ShStruct6_RefRefRefRefRefEmb_6_Intbyte$$$_S_$$$(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Path_c385169_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + Len_daeaf66a_PMDecoded(assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + pointer_Types(Decoded_daeaf66a_T_Types())), (unbox_Poly((get0of2(thisItf): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])), + underlyingBuf_V0) : + (typeOfInterface_Y$558431e4_a6ceb89d_(thisItf) == + Path_4cddb96f_T_Types() ? + Len_4cddb96f_MPath(assertArg2_Tuple0(behavioral_subtype_Types(typeOfInterface_Y$558431e4_a6ceb89d_(thisItf), + Path_4cddb96f_T_Types()), (unbox_Poly((get0of2(thisItf): Ref)): Tuple0)), + underlyingBuf_V0) : + Len_a6ceb89d_SY$558431e4_a6ceb89d_$itfcopy$fallback(thisItf, + underlyingBuf_V0)))))))) +} + +// decreases _ +function unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_1_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_Intbyte$$$_S_$$$() + ensures box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +// decreases _ +function box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || x == arrayNil_1_Intbyte$$$_S_$$$() + ensures unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases +function PointerDefinedDecoded_daeaf66a_T$$$_S_$$$$$$$_E_$$$_Len_daeaf66a_PMDecoded_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures result >= 0 +{ + Len_daeaf66a_PMDecoded(d_V0, ubuf_V0) +} + +// decreases +function AddrHdrLen_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref], insideSlayers_V0: Bool): Int + requires insideSlayers_V0 ==> + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, wildcard) + requires insideSlayers_V0 ==> + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + requires !insideSlayers_V0 ==> + acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures insideSlayers_V0 ==> + result == addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) + ensures !insideSlayers_V0 ==> + result == AddrHdrLenNoAbstractionLeak_840d9458_PMSCION(s_V0, ubuf_V0) + ensures 0 <= result + + +// decreases +function assertArg2_ShStruct3_ShStruct3_ShStruct3_RefRefEmb_3_Intuint8$$$_S_$$$RefRefRefRef(b: Bool, + y: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref] + requires b +{ + y +} + +// decreases _ +function Len_daeaf66a_PMDecoded(d_V0: ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref], + ubuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) + ensures (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + result == + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) + ensures result >= 0 +{ + (unfolding acc(dynamic_pred_6((tuple2((box_Poly(d_V0): Ref), pointer_Types(Decoded_daeaf66a_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + Len_daeaf66a_PMBase((ShStructget0of3(d_V0): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]))) +} + +// decreases +function DefinedPath_4cddb96f_T$$$$_E_$$$_Len_4cddb96f_MPath_Len_a6ceb89d_SY$558431e4_a6ceb89d__proof(o_V0: Tuple0, + underlyingBuf_V0: Slice[Ref]): Int + requires acc(dynamic_pred_6((tuple2((box_Poly(o_V0): Ref), Path_4cddb96f_T_Types()): Tuple2[Ref, Types]), + underlyingBuf_V0), wildcard) + ensures result >= 0 +{ + Len_4cddb96f_MPath(o_V0, underlyingBuf_V0) +} + +// decreases _ +function unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(y: Emb_3_Intuint8$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 3 || + result == arrayNil_3_Intuint8$$$_S_$$$() + ensures box_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref(result) == y + + +predicate dynamic_pred_0(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == pointer_Types(EndToEndExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMEndToEndOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedEndToEndOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(EndToEndExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtn_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$, write) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_840d9458_PMHopByHopOption((ShArrayloc((sarray((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref).SlicePointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): Ref).PointerDefinedHopByHopOption_840d9458_T$$$_S_$$$$$$$_E_$$$, + i_V1), write))) : + ((get1of2(i): Types) == + pointer_Types(HopByHopExtnSkipper_840d9458_T_Types()) ? + acc(Mem_840d9458_PMextnBase((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]), + x0), write) : + ((get1of2(i): Types) == pointer_Types(SCION_840d9458_T_Types()) ? + acc((ShStructget1of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget2of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget3of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget4of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget6of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write) && + acc((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ && + 0 <= + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) && + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 <= + (slen(x0): Int) && + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) <= + (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4 && + acc((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(dynamic_pred_6((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)), write) && + (let fn$$0 == + ((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write)) && + (ShStructget0of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4) && + (ShStructget1of2((ShStructget0of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4, (slen(x0): Int)) && + 12 <= (slen(x0): Int) && + acc(HeaderMem_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + ssliceFromSlice_Ref(x0, 12, (slen(x0): Int))), write) && + 0 <= + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ && + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ < + 256 && + acc((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + (!pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + acc(PathPoolMem_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + (pathPoolInitialized_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])) ==> + !((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$ == + sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + !((ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(PathPoolMemExceptOne_840d9458_F((ShStructget15of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, + (ShStructget16of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$), write) && + (ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + getPathPure_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + (ShStructget7of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$)) && + (typeOfInterface_Y$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) ==> + 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(x0, 12 + + AddrHdrLen_840d9458_PMSCION((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]), + sliceDefault_Intbyte$$$_S_$$$(), true), (ShStructget5of17((unbox_Poly((get0of2(i): Ref)): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref).Intuint8$$$$_E_$$$ * + 4)) <= + (slen(x0): Int)) : + ((get1of2(i): Types) == pointer_Types(SCMP_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedSCMPTypeCode_840d9458_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$, write) && + (!((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$()) ==> + acc(ChecksumMem_840d9458_PMSCION((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$), write)) : + ((get1of2(i): Types) == + pointer_Types(SCMPDestinationUnreachable_840d9458_T_Types()) ? + acc(Mem_840d9458_PMBaseLayer((ShStructget0of1((unbox_Poly((get0of2(i): Ref)): ShStruct1[ShStruct2[Ref, Ref]])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPEcho_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) ? + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 16), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) ? + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 24), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPPacketTooBig_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPParameterProblem_840d9458_T_Types()) ? + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct2[Ref, Ref], Ref])): ShStruct2[Ref, Ref]), + x0, 4), write) : + ((get1of2(i): Types) == + pointer_Types(SCMPTraceroute_840d9458_T_Types()) ? + acc((ShStructget1of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget2of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget4of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref).Intuint64$$$$_E_$$$, write) && + acc(Mem_840d9458_PMBaseLayer((ShStructget0of5((unbox_Poly((get0of2(i): Ref)): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): ShStruct2[Ref, Ref]), + x0, 20), write) : + ((get1of2(i): Types) == + Payload_b41831d7_T_Types() ? + x0 == + (unbox_Poly((get0of2(i): Ref)): Slice[Ref]) : + acc(dynamic_pred_0_unknown(i, x0), write))))))))))))))) +} + +predicate Mem_daeaf66a_PMBase(b_V0: ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref]) { + acc((ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget0of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShStructget1of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 0): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 1): Ref).Intuint8$$$$_E_$$$, write) && + acc((ShArrayloc(unbox_Emb_3_Intuint8$$$_S_$$$_ShArray_Ref((ShStructget2of3((ShStructget0of3(b_V0): ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$])): Emb_3_Intuint8$$$_S_$$$)), + 2): Ref).Intuint8$$$$_E_$$$, write) && + 0 <= (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ && + (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ <= 3 && + 0 <= (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$ && + (0 < (ShStructget1of3(b_V0): Ref).Intint$$$$_E_$$$ ==> + 0 < (ShStructget2of3(b_V0): Ref).Intint$$$$_E_$$$) +} + +predicate HeaderMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) { + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, write) && + acc((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + acc((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, 1 / + 2) && + Has3Bits_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) <= (slen(ubuf_V0): Int) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) == + addrHdrLenAbstractionLeak_840d9458_PMSCION(s_V0) && + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) <= + (slen(ubuf_V0): Int) && + 0 < + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 0 < 2 * 8 && + 2 * 8 < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) < + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) && + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) <= + (slen(ubuf_V0): Int) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) && + (ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(ubuf_V0, 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$), + 2 * 8 + + Length_840d9458_MAddrType((ShStructget8of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$) + + Length_840d9458_MAddrType((ShStructget9of17(s_V0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$)) +} + +predicate AbsSlice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int) { + 0 <= start_V0 && start_V0 <= end_V0 && end_V0 <= (scap(s_V0): Int) && + (forall i_V1: Int :: + { (ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), i_V1)): Ref) } + start_V0 <= i_V1 && i_V1 < end_V0 ==> + acc((ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, write)) +} + +predicate PathPoolMemExceptOne_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types], + pathType_V0: Int) { + !(pathPool_V0 == sliceDefault_DefinedPath_a6ceb89d_T$$$_S_$$$()) && + (slen(pathPool_V0): Int) == 4 && + (acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 0)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + Path_4cddb96f_T_Types()) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c385169_T_Types()) && + (!(pathType_V0 == 2) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 2)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Raw_daeaf66a_T_Types()) && + (!(pathType_V0 == 1) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 1)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + acc((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, write) && + !((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ == + (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + typeOfInterface_Y$558431e4_a6ceb89d_((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), + sadd((soffset(pathPool_V0): Int), 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$) == + pointer_Types(Path_c6e60a1d_T_Types()) && + (!(pathType_V0 == 3) ==> + acc(dynamic_pred_2((ShArrayloc((sarray(pathPool_V0): ShArray[Ref]), sadd((soffset(pathPool_V0): Int), + 3)): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$), write)) && + !(pathPoolRaw_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + (pathType_V0 < (slen(pathPool_V0): Int) ==> + acc(dynamic_pred_2(pathPoolRaw_V0), write)) +} + +predicate dynamic_pred_6(i: Tuple2[Ref, Types], x0: Slice[Ref]) { + ((get1of2(i): Types) == Path_4cddb96f_T_Types() ? + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(Path_4cddb96f_T_Types()) ? + (let fn$$0 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct0)) in + true) && + (slen(x0): Int) == 0 : + ((get1of2(i): Types) == pointer_Types(rawPath_a6ceb89d_T_Types()) ? + (let fn$$1 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$1): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$1): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$, write)) && + (ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + x0 : + ((get1of2(i): Types) == pointer_Types(Path_c385169_T_Types()) ? + (let fn$$2 == + ((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct4[Ref, Ref, Ref, Ref])) in + acc((ShStructget0of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget1of4(fn$$2): Ref).Bool$$$$_E_$$$, write) && + acc((ShStructget2of4(fn$$2): Ref).Intuint16$$$$_E_$$$, write) && + acc((ShStructget3of4(fn$$2): Ref).Intuint32$$$$_E_$$$, write)) && + acc(Mem_a6ceb89d_PMHopField((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + acc(Mem_a6ceb89d_PMHopField((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write) && + 32 <= (slen(x0): Int) : + ((get1of2(i): Types) == pointer_Types(Path_c6e60a1d_T_Types()) ? + (let fn$$3 == + ((ShStructget0of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$3): Ref).Intuint32$$$$_E_$$$, write)) && + acc((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget1of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget2of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), write) && + acc((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$, write) && + !((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$ == + shStructDefault_$BaseA_DefinedBase_daeaf66a_T$$$_S_$$$_RawA_SliceIntbyte$$$_S_$$$$$$_S_$$$$()) && + 16 <= (slen(x0): Int) && + acc(dynamic_pred_6((tuple2((box_Poly((ShStructget3of4((unbox_Poly((get0of2(i): Ref)): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref).PointerDefinedRaw_daeaf66a_T$$$_S_$$$$$$$_E_$$$): Ref), + pointer_Types(Raw_daeaf66a_T_Types())): Tuple2[Ref, Types]), ssliceFromSlice_Ref(x0, + 16, (slen(x0): Int))), write) : + ((get1of2(i): Types) == + pointer_Types(Decoded_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) <= + 3 && + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumINF_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + ((forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget0of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget1of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Bool$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget2of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint16$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref]) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) && + (let fn$$4 == + ((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])) in + true) ==> + acc((ShStructget3of4((ShArrayloc((sarray((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct4[Ref, Ref, Ref, Ref]]), + sadd((soffset((ShStructget1of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedInfoField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V1)): ShStruct4[Ref, Ref, Ref, Ref])): Ref).Intuint32$$$$_E_$$$, write))) && + acc((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) == + getNumHops_daeaf66a_PMBase((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) && + (forall i_V2: Int :: + { (ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) } + 0 <= i_V2 && + i_V2 < + (slen((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int) ==> + acc(Mem_a6ceb89d_PMHopField((ShArrayloc((sarray((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): ShArray[ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]), + sadd((soffset((ShStructget2of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref).SliceDefinedHopField_a6ceb89d_T$$$_S_$$$$$$$_E_$$$): Int), + i_V2)): ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$])), write)) : + ((get1of2(i): Types) == pointer_Types(Raw_daeaf66a_T_Types()) ? + acc(Mem_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])), write) && + acc((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, write) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) <= + (slen(x0): Int) && + (ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + ssliceFromSlice_Ref(x0, 0, (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) && + (slen((ShStructget1of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + Len_daeaf66a_PMBase((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref])) : + acc(dynamic_pred_6_unknown(i, x0), write)))))))) +} + +predicate dynamic_pred_0_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate ChecksumMem_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) + +predicate Mem_840d9458_PMHopByHopOption(o_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2325_V0: Int) + +predicate Mem_a6ceb89d_PMHopField(h_V0: ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]) + +predicate Mem_840d9458_PMEndToEndOption(e_V0: ShStruct5[Ref, Ref, Ref, Ref, Emb_2_Intuint8$$$_S_$$$], + _2372_V0: Int) + +predicate PathPoolMem_840d9458_F(pathPool_V0: Slice[Ref], pathPoolRaw_V0: Tuple2[Ref, Types]) + +predicate ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +predicate dynamic_pred_6_unknown(i: Tuple2[Ref, Types], x0: Slice[Ref]) + +predicate dynamic_pred_2(i: Tuple2[Ref, Types]) + +predicate Mem_b41831d7_SY$3e1378f2_b41831d7_(thisItf: Tuple2[Ref, Types]) + +predicate Mem_840d9458_PMextnBase(e_V0: ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], + ubuf_V0: Slice[Ref]) + +predicate Mem_840d9458_PMBaseLayer(b_V0: ShStruct2[Ref, Ref], ub_V0: Slice[Ref], + breakPoint_V0: Int) + +predicate MemWithoutUBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf: Tuple2[Ref, Types], + ub_V0: Slice[Ref]) + +// decreases +method SerializeTo_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + b_V0: Tuple2[Ref, Types], opts_V0: Tuple2[Bool, Bool], ubuf_V0: Slice[Ref]) + returns (e_V0: Tuple2[Ref, Types]) + requires !(get0of2(opts_V0): Bool) + requires !(b_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(b_V0), write) + requires acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), 1 / 4) + requires acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), write) + ensures acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(b_V0), write) + ensures acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), 1 / 4) + ensures acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), write) + ensures e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + HasOneHopPath_840d9458_PMSCION(s_V0, ubuf_V0) ==> + (slen(UBuf_b41831d7_SY$3e1378f2_b41831d7_(b_V0)): Int) == + old((slen(UBuf_b41831d7_SY$3e1378f2_b41831d7_(b_V0)): Int)) + + (unfolding acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + 12 + + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(ubuf_V0, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true), + (ShStructget5of17(s_V0): Ref).Intuint8$$$$_E_$$$ * 4))) + ensures e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + HasOneHopPath_840d9458_PMSCION(s_V0, ubuf_V0) ==> + (unfolding acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), wildcard) in + 12 + + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17(s_V0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(ubuf_V0, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0, sliceDefault_Intbyte$$$_S_$$$(), true), + (ShStructget5of17(s_V0): Ref).Intuint8$$$$_E_$$$ * 4))) <= + (slen(ubuf_V0): Int) + ensures !(e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(e_V0), write) +{ + inhale e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl s_V0_CN0: *SCION_840d9458_T@°°, b_V0_CN1: SerializeBuffer_b41831d7_T°°, opts_V0_CN2: SerializeOptions_b41831d7_T°°, ubuf_V0_CN3: []byte@°°, e_V0_CN4: error_a4af0e5e_T°° + var e_V0_CN4: Tuple2[Ref, Types] + var ubuf_V0_CN3: Slice[Ref] + var opts_V0_CN2: Tuple2[Bool, Bool] + var b_V0_CN1: Tuple2[Ref, Types] + var s_V0_CN0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + + + var fn$$1_activation: Bool + var fn$$1_0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + var fn$$1_1: Slice[Ref] + var fn$$1_2: Perm + fn$$1_activation := false + var fn$$2_activation: Bool + var fn$$2_0: Slice[Ref] + var fn$$2_1: Int + var fn$$2_2: Int + var fn$$2_3: Perm + fn$$2_activation := false + + // init s_V0_CN0 + inhale s_V0_CN0 == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$() + + // init b_V0_CN1 + inhale b_V0_CN1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // init opts_V0_CN2 + var fn$$0: Tuple2[Bool, Bool] + fn$$0 := opts_V0_CN2 + inhale (get0of2(fn$$0): Bool) == false + inhale (get1of2(fn$$0): Bool) == false + + // init ubuf_V0_CN3 + inhale ubuf_V0_CN3 == sliceDefault_Intbyte$$$_S_$$$() + + // init e_V0_CN4 + inhale e_V0_CN4 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // s_V0_CN0 = s_V0 + s_V0_CN0 := s_V0 + + // b_V0_CN1 = b_V0 + b_V0_CN1 := b_V0 + + // opts_V0_CN2 = opts_V0 + opts_V0_CN2 := opts_V0 + + // ubuf_V0_CN3 = ubuf_V0 + ubuf_V0_CN3 := ubuf_V0 + + // decl scnLen_V1: int°°, N24: []byte@°°, N25: error_a4af0e5e_T°°, buf_V1: []byte@°°, err_V1: error_a4af0e5e_T°°, uSerBufN_V1: []byte@°°, N28: []byte@°°, firstLine_V1: uint32°°, sPath_V1: Path_a6ceb89d_T°°, pathSlice_V1: []byte@°°, offset_V1: int°°, N35: error_a4af0e5e_T°°, tmp_V1: error_a4af0e5e_T°° + var tmp_V1: Tuple2[Ref, Types] + var N35: Tuple2[Ref, Types] + var offset_V1: Int + var pathSlice_V1: Slice[Ref] + var sPath_V1: Tuple2[Ref, Types] + var firstLine_V1: Int + var N28: Slice[Ref] + var uSerBufN_V1: Slice[Ref] + var err_V1: Tuple2[Ref, Types] + var buf_V1: Slice[Ref] + var N25: Tuple2[Ref, Types] + var N24: Slice[Ref] + var scnLen_V1: Int + + // unfold acc(s_V0_CN0.Mem(ubuf_V0_CN3), perm(1/4)) + unfold acc(dynamic_pred_0((tuple2((box_Poly(s_V0_CN0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0_CN3), 1 / 4) + + // defer fold acc(s_V0_CN0.Mem(ubuf_V0_CN3), perm(1/4)) + fn$$1_0 := s_V0_CN0 + fn$$1_1 := ubuf_V0_CN3 + fn$$1_2 := 1 / 4 + fn$$1_activation := true + + // SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, int°(12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true)), int°(*s_V0_CN0.HdrLenA * 4), write) + SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true), + (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4, write) + + // defer CombineRange_Bytes_e630ae22_F(ubuf_V0_CN3, int°(12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true)), int°(*s_V0_CN0.HdrLenA * 4), write) + fn$$2_0 := ubuf_V0_CN3 + fn$$2_1 := 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true) + fn$$2_2 := (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4 + fn$$2_3 := write + fn$$2_activation := true + + // init scnLen_V1 + inhale scnLen_V1 == 0 + + // scnLen_V1 = 12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true) + *s_V0_CN0.PathA.Len(ubuf_V0_CN3[12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true):*s_V0_CN0.HdrLenA * 4]) + scnLen_V1 := 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true) + + Len_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(ubuf_V0_CN3, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true), + (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4)) + + // if(scnLen_V1 > 1020) {...} else {...} + if (scnLen_V1 > 1020) { + + // decl N20: []interface{ name is empty_interface }@°°, N21: error_a4af0e5e_T°° + var N21: Tuple2[Ref, Types] + var N20: Slice[Ref] + + // N20 = new([]interface{ name is empty_interface }@ { 0:toInterface("max"), 1:toInterface(1020), 2:toInterface("actual"), 3:toInterface(scnLen_V1) }) + var fn$$3: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$5: Emb_4_Interfaceempty_interface$$$_S_$$$ + var fn$$6: Emb_4_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$4: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$3), + fn$$4): Ref) } + 0 <= fn$$4 && fn$$4 < 4 ==> + acc((ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$3), + fn$$4): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$3 == + box_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_4_Interfaceempty_interface$$$_S_$$$())) + fn$$5 := fn$$3 + fn$$6 := box_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit6d6178()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(1020): Ref), integer_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly(stringLit61637475616c()): Ref), string_Types()): Tuple2[Ref, Types]), + (tuple2((box_Poly(scnLen_V1): Ref), int_Types()): Tuple2[Ref, Types]))) + inhale (forall fn$$7: Int :: + { (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$5), + fn$$7): Ref) } + { unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$6)[fn$$7] } + 0 <= fn$$7 && fn$$7 < 4 ==> + (ShArrayloc(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$5), + fn$$7): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_4_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$6)[fn$$7]) + N20 := ssliceFromArray_Ref(unbox_Emb_4_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$3), + 0, 4) + + // N21 = New_bfd5223e_F("header length exceeds maximum", N20) + N21 := New_bfd5223e_F(stringLit686561646572206c656e6774682065786365656473206d6178696d756d(), + N20) + + // e_V0_CN4 = N21 + e_V0_CN4 := N21 + + // return + goto returnLabel + } + + // if(scnLen_V1 % 4 != 0) {...} else {...} + if (!(scnLen_V1 % 4 == 0)) { + + // decl N22: []interface{ name is empty_interface }@°°, N23: error_a4af0e5e_T°° + var N23: Tuple2[Ref, Types] + var N22: Slice[Ref] + + // N22 = new([]interface{ name is empty_interface }@ { 0:toInterface("actual"), 1:toInterface(scnLen_V1) }) + var fn$$8: Emb_2_Interfaceempty_interface$$$_S_$$$ + var fn$$10: Emb_2_Interfaceempty_interface$$$_S_$$$ + var fn$$11: Emb_2_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$9: Int :: + { (ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$8), + fn$$9): Ref) } + 0 <= fn$$9 && fn$$9 < 2 ==> + acc((ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$8), + fn$$9): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$8 == + box_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_2_Interfaceempty_interface$$$_S_$$$())) + fn$$10 := fn$$8 + fn$$11 := box_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit61637475616c()): Ref), + string_Types()): Tuple2[Ref, Types]), (tuple2((box_Poly(scnLen_V1): Ref), + int_Types()): Tuple2[Ref, Types]))) + inhale (forall fn$$12: Int :: + { (ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$10), + fn$$12): Ref) } + { unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$11)[fn$$12] } + 0 <= fn$$12 && fn$$12 < 2 ==> + (ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$10), + fn$$12): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$11)[fn$$12]) + N22 := ssliceFromArray_Ref(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$8), + 0, 2) + + // N23 = New_bfd5223e_F("header length is not an integer multiple of line length", N22) + N23 := New_bfd5223e_F(stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468(), + N22) + + // e_V0_CN4 = N23 + e_V0_CN4 := N23 + + // return + goto returnLabel + } + + // N24, N25 = b_V0_CN1PrependBytes(scnLen_V1) + N24, N25 := PrependBytes_b41831d7_SY$3e1378f2_b41831d7_(b_V0_CN1, scnLen_V1) + + // init buf_V1 + inhale buf_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // init err_V1 + inhale err_V1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // buf_V1 = N24 + buf_V1 := N24 + + // err_V1 = N25 + err_V1 := N25 + + // if(err_V1 != (nil:error_a4af0e5e_T°)) {...} else {...} + if (!(err_V1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) { + + // decl + + // e_V0_CN4 = err_V1 + e_V0_CN4 := err_V1 + + // return + goto returnLabel + } + + // if(opts_V0_CN2.FixLengthsA) {...} else {...} + if ((get0of2(opts_V0_CN2): Bool)) { + + // decl N26: []byte@°° + var N26: Slice[Ref] + + // Unreachable_ef823ad9_F() + assert false + Unreachable_ef823ad9_F() + + // *s_V0_CN0.HdrLenA = uint8°(scnLen_V1 / 4) + (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ := scnLen_V1 / 4 + + // N26 = b_V0_CN1Bytes() + N26 := Bytes_b41831d7_SY$3e1378f2_b41831d7_(b_V0_CN1) + + // *s_V0_CN0.PayloadLenA = uint16°(len(N26) - scnLen_V1) + (ShStructget6of17(s_V0_CN0): Ref).Intuint16$$$$_E_$$$ := (slen(N26): Int) - + scnLen_V1 + } + + // init uSerBufN_V1 + inhale uSerBufN_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // uSerBufN_V1 = b_V0_CN1.UBuf() + uSerBufN_V1 := UBuf_b41831d7_SY$3e1378f2_b41831d7_(b_V0_CN1) + + // assert buf_V1 === uSerBufN_V1[0:scnLen_V1] + assert buf_V1 == ssliceFromSlice_Ref(uSerBufN_V1, 0, scnLen_V1) + + // N28 = b_V0_CN1ExchangePred() + N28 := ExchangePred_b41831d7_SY$3e1378f2_b41831d7_(b_V0_CN1) + + // SplitRange_Bytes_e630ae22_F(uSerBufN_V1, 0, scnLen_V1, write) + SplitRange_Bytes_e630ae22_F(uSerBufN_V1, 0, scnLen_V1, write) + + // init firstLine_V1 + inhale firstLine_V1 == 0 + + // firstLine_V1 = uint32°(*s_V0_CN0.VersionA & 0xf) << 28 | uint32°(*s_V0_CN0.TrafficClassA) << 20 | *s_V0_CN0.FlowIDA & 0xfffff + firstLine_V1 := intBitwiseOr(intBitwiseOr(intShiftLeft(intBitwiseAnd((ShStructget1of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$, + 15), 28), intShiftLeft((ShStructget2of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$, + 20)), intBitwiseAnd((ShStructget3of17(s_V0_CN0): Ref).Intuint32$$$$_E_$$$, + 1048575)) + + // SplitRange_Bytes_e630ae22_F(buf_V1, 0, 4, write) + SplitRange_Bytes_e630ae22_F(buf_V1, 0, 4, write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V1[0:4], 0, 4)) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V1, 0, 4), 0, + 4), write) + + // 0PutUint32(buf_V1[0:4], firstLine_V1) + PutUint32_72f0d887_MbigEndian(0, ssliceFromSlice_Ref(buf_V1, 0, 4), firstLine_V1) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V1[0:4], 0, 4)) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V1, 0, 4), 0, 4), write) + + // CombineRange_Bytes_e630ae22_F(buf_V1, 0, 4, write) + CombineRange_Bytes_e630ae22_F(buf_V1, 0, 4, write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, len(buf_V1))) + unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, (slen(buf_V1): Int)), write) + + // buf_V1[4] = uint8°(*s_V0_CN0.NextHdrA) + (ShArrayloc((sarray(buf_V1): ShArray[Ref]), sadd((soffset(buf_V1): Int), 4)): Ref).Intbyte$$$$_E_$$$ := (ShStructget4of17(s_V0_CN0): Ref).DefinedL4ProtocolType_840d9458_T$$$$_E_$$$ + + // buf_V1[5] = *s_V0_CN0.HdrLenA + (ShArrayloc((sarray(buf_V1): ShArray[Ref]), sadd((soffset(buf_V1): Int), 5)): Ref).Intbyte$$$$_E_$$$ := (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, len(buf_V1))) + fold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, (slen(buf_V1): Int)), write) + + // SplitRange_Bytes_e630ae22_F(buf_V1, 6, 8, write) + SplitRange_Bytes_e630ae22_F(buf_V1, 6, 8, write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V1[6:8], 0, 2)) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V1, 6, 8), 0, + 2), write) + + // 0PutUint16(buf_V1[6:8], *s_V0_CN0.PayloadLenA) + PutUint16_72f0d887_MbigEndian(0, ssliceFromSlice_Ref(buf_V1, 6, 8), (ShStructget6of17(s_V0_CN0): Ref).Intuint16$$$$_E_$$$) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V1[6:8], 0, 2)) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V1, 6, 8), 0, 2), write) + + // CombineRange_Bytes_e630ae22_F(buf_V1, 6, 8, write) + CombineRange_Bytes_e630ae22_F(buf_V1, 6, 8, write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, len(buf_V1))) + unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, (slen(buf_V1): Int)), write) + + // buf_V1[8] = uint8°(*s_V0_CN0.PathTypeA) + (ShArrayloc((sarray(buf_V1): ShArray[Ref]), sadd((soffset(buf_V1): Int), 8)): Ref).Intbyte$$$$_E_$$$ := (ShStructget7of17(s_V0_CN0): Ref).DefinedType_a6ceb89d_T$$$$_E_$$$ + + // buf_V1[9] = uint8°(*s_V0_CN0.DstAddrTypeA & 0x7) << 4 | uint8°(*s_V0_CN0.SrcAddrTypeA & 0x7) + (ShArrayloc((sarray(buf_V1): ShArray[Ref]), sadd((soffset(buf_V1): Int), 9)): Ref).Intbyte$$$$_E_$$$ := intBitwiseOr(intShiftLeft(intBitwiseAnd((ShStructget8of17(s_V0_CN0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, + 7), 4), intBitwiseAnd((ShStructget9of17(s_V0_CN0): Ref).DefinedAddrType_840d9458_T$$$$_E_$$$, + 7)) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, len(buf_V1))) + fold acc(AbsSlice_Bytes_e630ae22_F(buf_V1, 0, (slen(buf_V1): Int)), write) + + // SplitRange_Bytes_e630ae22_F(buf_V1, 10, 12, write) + SplitRange_Bytes_e630ae22_F(buf_V1, 10, 12, write) + + // unfold acc(AbsSlice_Bytes_e630ae22_F(buf_V1[10:12], 0, 2)) + unfold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V1, 10, 12), + 0, 2), write) + + // 0PutUint16(buf_V1[10:12], 0) + PutUint16_72f0d887_MbigEndian(0, ssliceFromSlice_Ref(buf_V1, 10, 12), 0) + + // fold acc(AbsSlice_Bytes_e630ae22_F(buf_V1[10:12], 0, 2)) + fold acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(buf_V1, 10, 12), 0, + 2), write) + + // CombineRange_Bytes_e630ae22_F(buf_V1, 10, 12, write) + CombineRange_Bytes_e630ae22_F(buf_V1, 10, 12, write) + + // init sPath_V1 + inhale sPath_V1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // sPath_V1 = *s_V0_CN0.PathA + sPath_V1 := (ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$ + + // init pathSlice_V1 + inhale pathSlice_V1 == sliceDefault_Intbyte$$$_S_$$$() + + // pathSlice_V1 = ubuf_V0_CN3[12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true):*s_V0_CN0.HdrLenA * 4] + pathSlice_V1 := ssliceFromSlice_Ref(ubuf_V0_CN3, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true), + (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4) + + // CombineRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true), int°(*s_V0_CN0.HdrLenA * 4), perm(1/4096)) + CombineRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true), + (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4, 1 / 4096) + + // SplitRange_Bytes_e630ae22_F(buf_V1, 12, len(buf_V1), write) + SplitRange_Bytes_e630ae22_F(buf_V1, 12, (slen(buf_V1): Int), write) + + // SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12, len(ubuf_V0_CN3), perm(1/4096)) + SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12, (slen(ubuf_V0_CN3): Int), 1 / + 4096) + + // decl N31: error_a4af0e5e_T°°, err_V2: error_a4af0e5e_T°° + var err_V2: Tuple2[Ref, Types] + var N31: Tuple2[Ref, Types] + + // N31 = s_V0_CN0SerializeAddrHdr(buf_V1[12:len(buf_V1)], ubuf_V0_CN3[12:len(ubuf_V0_CN3)]) + N31 := SerializeAddrHdr_840d9458_PMSCION(s_V0_CN0, ssliceFromSlice_Ref(buf_V1, + 12, (slen(buf_V1): Int)), ssliceFromSlice_Ref(ubuf_V0_CN3, 12, (slen(ubuf_V0_CN3): Int))) + + // init err_V2 + inhale err_V2 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // err_V2 = N31 + err_V2 := N31 + + // if(err_V2 != (nil:error_a4af0e5e_T°)) {...} else {...} + if (!(err_V2 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]))) { + + // decl + + // CombineRange_Bytes_e630ae22_F(buf_V1, 12, len(buf_V1), write) + CombineRange_Bytes_e630ae22_F(buf_V1, 12, (slen(buf_V1): Int), write) + + // CombineRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12, len(ubuf_V0_CN3), perm(1/4096)) + CombineRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12, (slen(ubuf_V0_CN3): Int), + 1 / 4096) + + // SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true), int°(*s_V0_CN0.HdrLenA * 4), perm(1/4096)) + SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), + true), (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4, 1 / + 4096) + + // CombineRange_Bytes_e630ae22_F(uSerBufN_V1, 0, scnLen_V1, write) + CombineRange_Bytes_e630ae22_F(uSerBufN_V1, 0, scnLen_V1, write) + + // b_V0_CN1RestoreMem(uSerBufN_V1) + RestoreMem_b41831d7_SY$3e1378f2_b41831d7_(b_V0_CN1, uSerBufN_V1) + + // e_V0_CN4 = err_V2 + e_V0_CN4 := err_V2 + + // return + goto returnLabel + } + + // init offset_V1 + inhale offset_V1 == 0 + + // offset_V1 = 12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true) + offset_V1 := 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true) + + // CombineRange_Bytes_e630ae22_F(buf_V1, 12, len(buf_V1), write) + CombineRange_Bytes_e630ae22_F(buf_V1, 12, (slen(buf_V1): Int), write) + + // CombineRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12, len(ubuf_V0_CN3), perm(1/4096)) + CombineRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12, (slen(ubuf_V0_CN3): Int), 1 / + 4096) + + // SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12 + s_V0_CN0.AddrHdrLen((nil:[]byte@°), true), int°(*s_V0_CN0.HdrLenA * 4), perm(1/4096)) + SplitRange_Bytes_e630ae22_F(ubuf_V0_CN3, 12 + + AddrHdrLen_840d9458_PMSCION(s_V0_CN0, sliceDefault_Intbyte$$$_S_$$$(), true), + (ShStructget5of17(s_V0_CN0): Ref).Intuint8$$$$_E_$$$ * 4, 1 / 4096) + + // SplitRange_Bytes_e630ae22_F(buf_V1, offset_V1, len(buf_V1), write) + SplitRange_Bytes_e630ae22_F(buf_V1, offset_V1, (slen(buf_V1): Int), write) + + // N35 = *s_V0_CN0.PathASerializeTo(buf_V1[offset_V1:len(buf_V1)], pathSlice_V1) + N35 := SerializeTo_a6ceb89d_SY$558431e4_a6ceb89d_((ShStructget14of17(s_V0_CN0): Ref).DefinedPath_a6ceb89d_T$$$$_E_$$$, + ssliceFromSlice_Ref(buf_V1, offset_V1, (slen(buf_V1): Int)), pathSlice_V1) + + // init tmp_V1 + inhale tmp_V1 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // tmp_V1 = N35 + tmp_V1 := N35 + + // CombineRange_Bytes_e630ae22_F(buf_V1, offset_V1, len(buf_V1), write) + CombineRange_Bytes_e630ae22_F(buf_V1, offset_V1, (slen(buf_V1): Int), write) + + // CombineRange_Bytes_e630ae22_F(uSerBufN_V1, 0, scnLen_V1, write) + CombineRange_Bytes_e630ae22_F(uSerBufN_V1, 0, scnLen_V1, write) + + // b_V0_CN1RestoreMem(uSerBufN_V1) + RestoreMem_b41831d7_SY$3e1378f2_b41831d7_(b_V0_CN1, uSerBufN_V1) + + // e_V0_CN4 = tmp_V1 + e_V0_CN4 := tmp_V1 + + // return + goto returnLabel + label returnLabel + if (fn$$2_activation) { + + // CombineRange_Bytes_e630ae22_F(fn$$2_0, fn$$2_1, fn$$2_2, fn$$2_3) + CombineRange_Bytes_e630ae22_F(fn$$2_0, fn$$2_1, fn$$2_2, fn$$2_3) + } + if (fn$$1_activation) { + + // fold acc(fn$$1_0.Mem(fn$$1_1), fn$$1_2) + fold acc(dynamic_pred_0((tuple2((box_Poly(fn$$1_0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + fn$$1_1), fn$$1_2) + } + + // e_V0 = e_V0_CN4 + e_V0 := e_V0_CN4 +} + +// decreases +method SplitRange_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires 0 <= start_V0 && start_V0 <= end_V0 && + end_V0 <= (slen(s_V0): Int) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, (slen(s_V0): Int)), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, end_V0 - start_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, start_V0), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, end_V0, (slen(s_V0): Int)), p_V0) + + +// decreases +method SerializeAddrHdr_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + buf_V0: Slice[Ref], ubuf_V0: Slice[Ref]) + returns (err_V0: Tuple2[Ref, Types]) + requires acc(HeaderMem_840d9458_PMSCION(s_V0, ubuf_V0), 1 / 4096) + requires acc(AbsSlice_Bytes_e630ae22_F(buf_V0, 0, (slen(buf_V0): Int)), write) + requires acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), 1 / + 4096) + ensures acc(HeaderMem_840d9458_PMSCION(s_V0, ubuf_V0), 1 / 4096) + ensures acc(AbsSlice_Bytes_e630ae22_F(buf_V0, 0, (slen(buf_V0): Int)), write) + ensures acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), 1 / + 4096) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(err_V0), write) + + +// decreases +method RestoreMem_b41831d7_SY$3e1378f2_b41831d7_(thisItf: Tuple2[Ref, Types], + ub_V0: Slice[Ref]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(MemWithoutUBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf, ub_V0), write) + requires acc(AbsSlice_Bytes_e630ae22_F(ub_V0, 0, (slen(ub_V0): Int)), write) + ensures acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(thisItf), write) && + UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf) == ub_V0 + + +method Unreachable_ef823ad9_F() + requires false + + +// decreases +method ExchangePred_b41831d7_SY$3e1378f2_b41831d7_(thisItf: Tuple2[Ref, Types]) + returns (res_V0: Slice[Ref]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(thisItf), write) + ensures res_V0 == old(UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf)) + ensures acc(AbsSlice_Bytes_e630ae22_F(res_V0, 0, (slen(res_V0): Int)), write) + ensures acc(MemWithoutUBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf, res_V0), write) + + +// decreases +method PointerDefinedSCION_840d9458_T$$$_S_$$$$$$$_E_$$$_SerializeTo_840d9458_PMSCION_SerializeTo_b41831d7_SY$17800ab4_b41831d7__proof(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + b_V0: Tuple2[Ref, Types], opts_V0: Tuple2[Bool, Bool], ubuf_V0: Slice[Ref]) + returns (e_V0: Tuple2[Ref, Types]) + requires !(get0of2(opts_V0): Bool) + requires !(b_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(b_V0), write) + requires acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), write) + requires acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), write) + ensures acc(AbsSlice_Bytes_e630ae22_F(ubuf_V0, 0, (slen(ubuf_V0): Int)), write) + ensures e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + acc(dynamic_pred_0((tuple2((box_Poly(s_V0): Ref), pointer_Types(SCION_840d9458_T_Types())): Tuple2[Ref, Types]), + ubuf_V0), write) && + acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(b_V0), write) + ensures !(e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(e_V0), write) +{ + inhale e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl + + + + // e_V0 = s_V0SerializeTo(b_V0, opts_V0, ubuf_V0) + e_V0 := SerializeTo_840d9458_PMSCION(s_V0, b_V0, opts_V0, ubuf_V0) + label returnLabel +} + +// decreases +method PrependBytes_b41831d7_SY$3e1378f2_b41831d7_(thisItf: Tuple2[Ref, Types], + num_V0: Int) + returns (res_V0: Slice[Ref], err_V0: Tuple2[Ref, Types]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires num_V0 >= 0 + requires acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(thisItf), write) + ensures acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(thisItf), write) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + (slen(UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf)): Int) == + (slen(old(UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf))): Int) + num_V0 + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + (slen(res_V0): Int) == num_V0 + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + res_V0 == + ssliceFromSlice_Ref(UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf), 0, num_V0) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf) == + old(UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf)) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(err_V0), write) + + +// decreases +method Bytes_b41831d7_SY$3e1378f2_b41831d7_(thisItf: Tuple2[Ref, Types]) + returns (res_V0: Slice[Ref]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(Mem_b41831d7_SY$3e1378f2_b41831d7_(thisItf), write) + ensures res_V0 == old(UBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf)) + ensures acc(AbsSlice_Bytes_e630ae22_F(res_V0, 0, (slen(res_V0): Int)), write) + ensures acc(MemWithoutUBuf_b41831d7_SY$3e1378f2_b41831d7_(thisItf, res_V0), write) + + +// decreases _ +method New_bfd5223e_F(msg_V0: Int, errCtx_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0) + + +// decreases _ +method PutUint32_72f0d887_MbigEndian(e_V0: Int, b_V0: Slice[Ref], v_V0: Int) + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 2)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 3)): Ref).Intbyte$$$$_E_$$$, write) + ensures acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 2)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 3)): Ref).Intbyte$$$$_E_$$$, write) + + +// decreases _ +method PutUint16_72f0d887_MbigEndian(e_V0: Int, b_V0: Slice[Ref], v_V0: Int) + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) + ensures acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) + + +// decreases +method SerializeTo_a6ceb89d_SY$558431e4_a6ceb89d_(thisItf: Tuple2[Ref, Types], + b_V0: Slice[Ref], underlyingBuf_V0: Slice[Ref]) + returns (e_V0: Tuple2[Ref, Types]) + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(AbsSlice_Bytes_e630ae22_F(underlyingBuf_V0, 0, (slen(underlyingBuf_V0): Int)), write) + requires acc(dynamic_pred_6(thisItf, underlyingBuf_V0), 1 / 8) + requires acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), write) + ensures acc(AbsSlice_Bytes_e630ae22_F(underlyingBuf_V0, 0, (slen(underlyingBuf_V0): Int)), write) + ensures acc(dynamic_pred_6(thisItf, underlyingBuf_V0), 1 / 8) + ensures acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), write) + ensures !(e_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(e_V0), write) + + +// decreases +method CombineRange_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int, + p_V0: Perm) + requires 0 / 1 <= p_V0 + requires 0 <= start_V0 && start_V0 <= end_V0 && + end_V0 <= (slen(s_V0): Int) + requires acc(AbsSlice_Bytes_e630ae22_F(ssliceFromSlice_Ref(s_V0, start_V0, + end_V0), 0, end_V0 - start_V0), p_V0) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, start_V0), p_V0) + requires acc(AbsSlice_Bytes_e630ae22_F(s_V0, end_V0, (slen(s_V0): Int)), p_V0) + ensures acc(AbsSlice_Bytes_e630ae22_F(s_V0, 0, (slen(s_V0): Int)), p_V0) diff --git a/src/test/resources/biabduction/frontends/gobra/scion_packAddr.vpr b/src/test/resources/biabduction/frontends/gobra/scion_packAddr.vpr new file mode 100644 index 00000000..e0e4fcf8 --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/scion_packAddr.vpr @@ -0,0 +1,3159 @@ +domain ShStruct2[T0, T1] { + + function ShStructget1of2(x: ShStruct2[T0, T1]): T1 + + function ShStructget0of2(x: ShStruct2[T0, T1]): T0 + + function ShStructrev1of2(v1: T1): ShStruct2[T0, T1] + + function ShStructrev0of2(v0: T0): ShStruct2[T0, T1] + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget1of2(x): T1) } + (ShStructrev1of2((ShStructget1of2(x): T1)): ShStruct2[T0, T1]) == x) + } + + axiom { + (forall x: ShStruct2[T0, T1], y: ShStruct2[T0, T1] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of2(x): T0) == (ShStructget0of2(y): T0) && + (ShStructget1of2(x): T1) == (ShStructget1of2(y): T1))) + } + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget0of2(x): T0) } + (ShStructrev0of2((ShStructget0of2(x): T0)): ShStruct2[T0, T1]) == x) + } +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function scap(s: Slice[T]): Int + + function soffset(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + function slen(s: Slice[T]): Int + + axiom deconstructor_over_constructor_array { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a) + } + + axiom { + (forall s: Slice[T] :: + { (soffset(s): Int), (scap(s): Int) } + { (ShArraylen((sarray(s): ShArray[T])): Int) } + (soffset(s): Int) + (scap(s): Int) <= + (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom deconstructor_over_constructor_len { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (slen((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (slen((smake(a, o, l, c): Slice[T])): Int) == l) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom { + (forall s: Slice[T] :: + { (slen(s): Int) } + { (scap(s): Int) } + (slen(s): Int) <= (scap(s): Int)) + } + + axiom deconstructor_over_constructor_offset { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (soffset((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (soffset((smake(a, o, l, c): Slice[T])): Int) == o) + } + + axiom deconstructor_over_constructor_cap { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (scap((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (scap((smake(a, o, l, c): Slice[T])): Int) == c) + } + + axiom { + (forall s: Slice[T] :: + { (sarray(s): ShArray[T]) } + { (soffset(s): Int) } + { (slen(s): Int) } + { (scap(s): Int) } + s == + (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain Emb_2_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain ShStruct0 { + + axiom { + (forall x: ShStruct0, y: ShStruct0 :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == true) + } +} + +domain ShStruct1[T0] { + + function ShStructget0of1(x: ShStruct1[T0]): T0 + + function ShStructrev0of1(v0: T0): ShStruct1[T0] + + axiom { + (forall x: ShStruct1[T0] :: + { (ShStructget0of1(x): T0) } + (ShStructrev0of1((ShStructget0of1(x): T0)): ShStruct1[T0]) == x) + } + + axiom { + (forall x: ShStruct1[T0], y: ShStruct1[T0] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of1(x): T0) == (ShStructget0of1(y): T0))) + } +} + +domain ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] { + + function ShStructget4of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T4 + + function ShStructget10of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T10 + + function ShStructrev4of17(v4: T4): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev10of17(v10: T10): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev13of17(v13: T13): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget5of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T5 + + function ShStructrev0of17(v0: T0): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev2of17(v2: T2): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev1of17(v1: T1): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget6of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T6 + + function ShStructrev15of17(v15: T15): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget7of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T7 + + function ShStructrev14of17(v14: T14): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget8of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T8 + + function ShStructrev7of17(v7: T7): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget2of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T2 + + function ShStructget11of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T11 + + function ShStructrev12of17(v12: T12): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev11of17(v11: T11): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget3of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T3 + + function ShStructrev9of17(v9: T9): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev8of17(v8: T8): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev3of17(v3: T3): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev5of17(v5: T5): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget16of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T16 + + function ShStructget14of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T14 + + function ShStructget13of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T13 + + function ShStructrev16of17(v16: T16): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev6of17(v6: T6): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget9of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T9 + + function ShStructget12of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T12 + + function ShStructget0of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T0 + + function ShStructget1of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T1 + + function ShStructget15of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T15 + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget10of17(x): T10) } + (ShStructrev10of17((ShStructget10of17(x): T10)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget1of17(x): T1) } + (ShStructrev1of17((ShStructget1of17(x): T1)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget2of17(x): T2) } + (ShStructrev2of17((ShStructget2of17(x): T2)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget16of17(x): T16) } + (ShStructrev16of17((ShStructget16of17(x): T16)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget8of17(x): T8) } + (ShStructrev8of17((ShStructget8of17(x): T8)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget3of17(x): T3) } + (ShStructrev3of17((ShStructget3of17(x): T3)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget12of17(x): T12) } + (ShStructrev12of17((ShStructget12of17(x): T12)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget7of17(x): T7) } + (ShStructrev7of17((ShStructget7of17(x): T7)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget11of17(x): T11) } + (ShStructrev11of17((ShStructget11of17(x): T11)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16], + y: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of17(x): T0) == (ShStructget0of17(y): T0) && + (ShStructget1of17(x): T1) == (ShStructget1of17(y): T1) && + (ShStructget2of17(x): T2) == (ShStructget2of17(y): T2) && + (ShStructget3of17(x): T3) == (ShStructget3of17(y): T3) && + (ShStructget4of17(x): T4) == (ShStructget4of17(y): T4) && + (ShStructget5of17(x): T5) == (ShStructget5of17(y): T5) && + (ShStructget6of17(x): T6) == (ShStructget6of17(y): T6) && + (ShStructget7of17(x): T7) == (ShStructget7of17(y): T7) && + (ShStructget8of17(x): T8) == (ShStructget8of17(y): T8) && + (ShStructget9of17(x): T9) == (ShStructget9of17(y): T9) && + (ShStructget10of17(x): T10) == (ShStructget10of17(y): T10) && + (ShStructget11of17(x): T11) == (ShStructget11of17(y): T11) && + (ShStructget12of17(x): T12) == (ShStructget12of17(y): T12) && + (ShStructget13of17(x): T13) == (ShStructget13of17(y): T13) && + (ShStructget14of17(x): T14) == (ShStructget14of17(y): T14) && + (ShStructget15of17(x): T15) == (ShStructget15of17(y): T15) && + (ShStructget16of17(x): T16) == (ShStructget16of17(y): T16))) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget5of17(x): T5) } + (ShStructrev5of17((ShStructget5of17(x): T5)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget4of17(x): T4) } + (ShStructrev4of17((ShStructget4of17(x): T4)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget6of17(x): T6) } + (ShStructrev6of17((ShStructget6of17(x): T6)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget15of17(x): T15) } + (ShStructrev15of17((ShStructget15of17(x): T15)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget9of17(x): T9) } + (ShStructrev9of17((ShStructget9of17(x): T9)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget0of17(x): T0) } + (ShStructrev0of17((ShStructget0of17(x): T0)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget14of17(x): T14) } + (ShStructrev14of17((ShStructget14of17(x): T14)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget13of17(x): T13) } + (ShStructrev13of17((ShStructget13of17(x): T13)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } +} + +domain Emb_1_Intbyte$$$_S_$$$ { + + +} + +domain Emb_6_Intbyte$$$_S_$$$ { + + +} + +domain Emb_2_Interfaceempty_interface$$$$_E_$$$ { + + +} + +domain Types { + + unique function SCMPInternalConnectivityDown_840d9458_T_Types_tag(): Int + + function slice_Types(p0: Types): Types + + function SCMPExternalInterfaceDown_840d9458_T_Types(): Types + + function integer_Types(): Types + + unique function slice_Types_tag(): Int + + unique function Payload_b41831d7_T_Types_tag(): Int + + unique function SCMPPacketTooBig_840d9458_T_Types_tag(): Int + + function Y$6914870a_b41831d7__Types(): Types + + function BFD_6416454f_T_Types(): Types + + unique function Y$558431e4_a6ceb89d__Types_tag(): Int + + function SCION_840d9458_T_Types(): Types + + function SCMPTraceroute_840d9458_T_Types(): Types + + function AddrType_840d9458_T_Types(): Types + + unique function Y$c2e55be_72f0d887__Types_tag(): Int + + function Y$60c7bddc_b41831d7__Types(): Types + + function HostIPv4_cd675838_T_Types(): Types + + function Y$c2e55be_72f0d887__Types(): Types + + unique function Raw_daeaf66a_T_Types_tag(): Int + + function Y$35202e5_cd675838__Types(): Types + + function Y$49c4c25f_d3743b4f__Types(): Types + + unique function int_Types_tag(): Int + + unique function Y$9127f611_b41831d7__Types_tag(): Int + + unique function empty_interface_Types_tag(): Int + + function SCMPCode_840d9458_T_Types(): Types + + unique function Decoded_daeaf66a_T_Types_tag(): Int + + function pointer_Types(p0: Types): Types + + unique function Y$b28ae4_ac87dd1d__Types_tag(): Int + + unique function Y$35202e5_cd675838__Types_tag(): Int + + function Y$558431e4_a6ceb89d__Types(): Types + + function tag_Types(t: Types): Int + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + unique function L4ProtocolType_840d9458_T_Types_tag(): Int + + function littleEndian_72f0d887_T_Types(): Types + + unique function AddrType_840d9458_T_Types_tag(): Int + + unique function HostNone_cd675838_T_Types_tag(): Int + + unique function byte_Types_tag(): Int + + unique function Y$49c4c25f_d3743b4f__Types_tag(): Int + + function Y$9127f611_b41831d7__Types(): Types + + function EndToEndExtn_840d9458_T_Types(): Types + + unique function SCMPTraceroute_840d9458_T_Types_tag(): Int + + function empty_interface_Types(): Types + + unique function UDPAddr_5c610647_T_Types_tag(): Int + + unique function bigEndian_72f0d887_T_Types_tag(): Int + + unique function nilDecodeFeedback_b41831d7_T_Types_tag(): Int + + function Y$3191b69e_b41831d7__Types(): Types + + unique function HopByHopExtn_840d9458_T_Types_tag(): Int + + unique function Path_c385169_T_Types_tag(): Int + + unique function SCMP_840d9458_T_Types_tag(): Int + + unique function Y$17800ab4_b41831d7__Types_tag(): Int + + function Y$8f734176_14a7fb6d__Types(): Types + + unique function AS_cd675838_T_Types_tag(): Int + + function HostNone_cd675838_T_Types(): Types + + function Path_c6e60a1d_T_Types(): Types + + function AS_cd675838_T_Types(): Types + + function SCMPTypeCode_840d9458_T_Types(): Types + + unique function Path_4cddb96f_T_Types_tag(): Int + + function rawPath_a6ceb89d_T_Types(): Types + + function HopByHopExtn_840d9458_T_Types(): Types + + unique function Y$9c78df5f_b41831d7__Types_tag(): Int + + function SCMPDestinationUnreachable_840d9458_T_Types(): Types + + function nilDecodeFeedback_b41831d7_T_Types(): Types + + unique function rawPath_a6ceb89d_T_Types_tag(): Int + + unique function Y$68d3cee9_b41831d7__Types_tag(): Int + + function int_Types(): Types + + function nil_Types(): Types + + unique function SCMPExternalInterfaceDown_840d9458_T_Types_tag(): Int + + unique function BFD_6416454f_T_Types_tag(): Int + + function UDPAddr_5c610647_T_Types(): Types + + unique function HostSVC_cd675838_T_Types_tag(): Int + + function uint16_Types(): Types + + function SCMPPacketTooBig_840d9458_T_Types(): Types + + function IPAddr_5c610647_T_Types(): Types + + function Y$68d3cee9_b41831d7__Types(): Types + + unique function Y$8f734176_14a7fb6d__Types_tag(): Int + + function Path_4cddb96f_T_Types(): Types + + function Y$febd64e7_b41831d7__Types(): Types + + unique function SCMPType_840d9458_T_Types_tag(): Int + + unique function string_Types_tag(): Int + + unique function SCMPTypeCode_840d9458_T_Types_tag(): Int + + function Y$9c78df5f_b41831d7__Types(): Types + + function bigEndian_72f0d887_T_Types(): Types + + unique function Y$53a71dc3_5c610647__Types_tag(): Int + + unique function IPAddr_5c610647_T_Types_tag(): Int + + unique function HopByHopExtnSkipper_840d9458_T_Types_tag(): Int + + function HopByHopExtnSkipper_840d9458_T_Types(): Types + + unique function SCMPEcho_840d9458_T_Types_tag(): Int + + function HostSVC_cd675838_T_Types(): Types + + unique function integer_Types_tag(): Int + + function Y$17800ab4_b41831d7__Types(): Types + + unique function littleEndian_72f0d887_T_Types_tag(): Int + + function SCMPInternalConnectivityDown_840d9458_T_Types(): Types + + function Decoded_daeaf66a_T_Types(): Types + + function SCMPType_840d9458_T_Types(): Types + + unique function Y$6914870a_b41831d7__Types_tag(): Int + + function byte_Types(): Types + + unique function Y$60c7bddc_b41831d7__Types_tag(): Int + + function Payload_b41831d7_T_Types(): Types + + function Path_c385169_T_Types(): Types + + function SCMPParameterProblem_840d9458_T_Types(): Types + + function Y$b28ae4_ac87dd1d__Types(): Types + + unique function HostIPv6_cd675838_T_Types_tag(): Int + + unique function SCION_840d9458_T_Types_tag(): Int + + function SCMPEcho_840d9458_T_Types(): Types + + unique function Y$febd64e7_b41831d7__Types_tag(): Int + + function EndToEndExtnSkipper_840d9458_T_Types(): Types + + unique function HostIPv4_cd675838_T_Types_tag(): Int + + unique function nil_Types_tag(): Int + + function L4ProtocolType_840d9458_T_Types(): Types + + unique function Y$3191b69e_b41831d7__Types_tag(): Int + + unique function EndToEndExtnSkipper_840d9458_T_Types_tag(): Int + + function IA_cd675838_T_Types(): Types + + unique function IA_cd675838_T_Types_tag(): Int + + unique function LayerType_b41831d7_T_Types_tag(): Int + + function get_0_pointer_Types(t: Types): Types + + unique function Path_c6e60a1d_T_Types_tag(): Int + + function Raw_daeaf66a_T_Types(): Types + + unique function SCMPCode_840d9458_T_Types_tag(): Int + + unique function pointer_Types_tag(): Int + + function Y$53a71dc3_5c610647__Types(): Types + + unique function SCMPDestinationUnreachable_840d9458_T_Types_tag(): Int + + function SCMP_840d9458_T_Types(): Types + + function HostIPv6_cd675838_T_Types(): Types + + function LayerType_b41831d7_T_Types(): Types + + unique function uint16_Types_tag(): Int + + function comparableType_Types(t: Types): Bool + + unique function EndToEndExtn_840d9458_T_Types_tag(): Int + + unique function SCMPParameterProblem_840d9458_T_Types_tag(): Int + + function string_Types(): Types + + axiom { + comparableType_Types(SCION_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPPacketTooBig_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$9c78df5f_b41831d7__Types()) == false + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + tag_Types(Y$c2e55be_72f0d887__Types()) == + Y$c2e55be_72f0d887__Types_tag() + } + + axiom { + comparableType_Types(Y$b28ae4_ac87dd1d__Types()) == false + } + + axiom { + (forall p0: Types :: + { comparableType_Types(slice_Types(p0)) } + comparableType_Types(slice_Types(p0)) == false) + } + + axiom { + comparableType_Types(IA_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(Y$35202e5_cd675838__Types()) == false + } + + axiom { + comparableType_Types(Raw_daeaf66a_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(int_Types()) == int_Types_tag() + } + + axiom { + comparableType_Types(SCMPEcho_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Payload_b41831d7_T_Types()) == false + } + + axiom { + tag_Types(AS_cd675838_T_Types()) == AS_cd675838_T_Types_tag() + } + + axiom { + tag_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + SCMPExternalInterfaceDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$49c4c25f_d3743b4f__Types()) == + Y$49c4c25f_d3743b4f__Types_tag() + } + + axiom { + comparableType_Types(HostSVC_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(SCMPParameterProblem_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPType_840d9458_T_Types()) == + SCMPType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$b28ae4_ac87dd1d__Types()) == Y$b28ae4_ac87dd1d__Types_tag() + } + + axiom { + comparableType_Types(Path_c385169_T_Types()) == true + } + + axiom { + comparableType_Types(Y$53a71dc3_5c610647__Types()) == false + } + + axiom { + comparableType_Types(Path_4cddb96f_T_Types()) == true + } + + axiom { + comparableType_Types(UDPAddr_5c610647_T_Types()) == true + } + + axiom { + tag_Types(IA_cd675838_T_Types()) == IA_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(Y$9127f611_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(EndToEndExtn_840d9458_T_Types()) == true + } + + axiom { + tag_Types(nilDecodeFeedback_b41831d7_T_Types()) == + nilDecodeFeedback_b41831d7_T_Types_tag() + } + + axiom { + comparableType_Types(Y$3191b69e_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(AddrType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$3191b69e_b41831d7__Types()) == + Y$3191b69e_b41831d7__Types_tag() + } + + axiom { + tag_Types(HopByHopExtn_840d9458_T_Types()) == + HopByHopExtn_840d9458_T_Types_tag() + } + + axiom { + tag_Types(BFD_6416454f_T_Types()) == BFD_6416454f_T_Types_tag() + } + + axiom { + comparableType_Types(Y$febd64e7_b41831d7__Types()) == false + } + + axiom { + tag_Types(HopByHopExtnSkipper_840d9458_T_Types()) == + HopByHopExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + tag_Types(HostIPv6_cd675838_T_Types()) == + HostIPv6_cd675838_T_Types_tag() + } + + axiom { + tag_Types(Y$558431e4_a6ceb89d__Types()) == + Y$558431e4_a6ceb89d__Types_tag() + } + + axiom { + comparableType_Types(Y$68d3cee9_b41831d7__Types()) == false + } + + axiom { + tag_Types(uint16_Types()) == uint16_Types_tag() + } + + axiom { + comparableType_Types(SCMPTypeCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPTraceroute_840d9458_T_Types()) == + SCMPTraceroute_840d9458_T_Types_tag() + } + + axiom { + tag_Types(littleEndian_72f0d887_T_Types()) == + littleEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(Y$8f734176_14a7fb6d__Types()) == false + } + + axiom { + comparableType_Types(string_Types()) == true + } + + axiom { + tag_Types(Y$9127f611_b41831d7__Types()) == + Y$9127f611_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$febd64e7_b41831d7__Types()) == + Y$febd64e7_b41831d7__Types_tag() + } + + axiom { + tag_Types(Y$60c7bddc_b41831d7__Types()) == + Y$60c7bddc_b41831d7__Types_tag() + } + + axiom { + tag_Types(EndToEndExtn_840d9458_T_Types()) == + EndToEndExtn_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Payload_b41831d7_T_Types()) == Payload_b41831d7_T_Types_tag() + } + + axiom { + comparableType_Types(Y$558431e4_a6ceb89d__Types()) == false + } + + axiom { + comparableType_Types(HopByHopExtn_840d9458_T_Types()) == true + } + + axiom { + tag_Types(HostNone_cd675838_T_Types()) == + HostNone_cd675838_T_Types_tag() + } + + axiom { + (forall x0: Types :: + { pointer_Types(x0) } + get_0_pointer_Types(pointer_Types(x0)) == x0) + } + + axiom { + tag_Types(Y$9c78df5f_b41831d7__Types()) == + Y$9c78df5f_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(SCMPCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Decoded_daeaf66a_T_Types()) == Decoded_daeaf66a_T_Types_tag() + } + + axiom { + comparableType_Types(Y$17800ab4_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(integer_Types()) == true + } + + axiom { + tag_Types(Y$6914870a_b41831d7__Types()) == + Y$6914870a_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(Y$c2e55be_72f0d887__Types()) == false + } + + axiom { + comparableType_Types(AS_cd675838_T_Types()) == true + } + + axiom { + tag_Types(SCMPPacketTooBig_840d9458_T_Types()) == + SCMPPacketTooBig_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(int_Types()) == true + } + + axiom { + tag_Types(SCMPTypeCode_840d9458_T_Types()) == + SCMPTypeCode_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(LayerType_b41831d7_T_Types()) == true + } + + axiom { + comparableType_Types(uint16_Types()) == true + } + + axiom { + comparableType_Types(littleEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(nilDecodeFeedback_b41831d7_T_Types()) == true + } + + axiom { + tag_Types(rawPath_a6ceb89d_T_Types()) == rawPath_a6ceb89d_T_Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + tag_Types(Y$35202e5_cd675838__Types()) == + Y$35202e5_cd675838__Types_tag() + } + + axiom { + tag_Types(SCMPCode_840d9458_T_Types()) == + SCMPCode_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(byte_Types()) == true + } + + axiom { + (forall p0: Types :: + { comparableType_Types(pointer_Types(p0)) } + comparableType_Types(pointer_Types(p0)) == true) + } + + axiom { + comparableType_Types(Y$49c4c25f_d3743b4f__Types()) == false + } + + axiom { + comparableType_Types(rawPath_a6ceb89d_T_Types()) == true + } + + axiom { + tag_Types(Path_4cddb96f_T_Types()) == Path_4cddb96f_T_Types_tag() + } + + axiom { + tag_Types(IPAddr_5c610647_T_Types()) == IPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(EndToEndExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { slice_Types(p0) } + tag_Types(slice_Types(p0)) == slice_Types_tag()) + } + + axiom { + tag_Types(Path_c385169_T_Types()) == Path_c385169_T_Types_tag() + } + + axiom { + comparableType_Types(Path_c6e60a1d_T_Types()) == true + } + + axiom { + comparableType_Types(IPAddr_5c610647_T_Types()) == true + } + + axiom { + comparableType_Types(HostIPv6_cd675838_T_Types()) == false + } + + axiom { + tag_Types(L4ProtocolType_840d9458_T_Types()) == + L4ProtocolType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$17800ab4_b41831d7__Types()) == + Y$17800ab4_b41831d7__Types_tag() + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + tag_Types(AddrType_840d9458_T_Types()) == + AddrType_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Decoded_daeaf66a_T_Types()) == true + } + + axiom { + tag_Types(integer_Types()) == integer_Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + comparableType_Types(HopByHopExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPParameterProblem_840d9458_T_Types()) == + SCMPParameterProblem_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$6914870a_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(SCMP_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(L4ProtocolType_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPTraceroute_840d9458_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { pointer_Types(p0) } + tag_Types(pointer_Types(p0)) == pointer_Types_tag()) + } + + axiom { + comparableType_Types(HostIPv4_cd675838_T_Types()) == false + } + + axiom { + tag_Types(HostSVC_cd675838_T_Types()) == HostSVC_cd675838_T_Types_tag() + } + + axiom { + tag_Types(LayerType_b41831d7_T_Types()) == + LayerType_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(Y$68d3cee9_b41831d7__Types()) == + Y$68d3cee9_b41831d7__Types_tag() + } + + axiom { + tag_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + SCMPInternalConnectivityDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCION_840d9458_T_Types()) == SCION_840d9458_T_Types_tag() + } + + axiom { + tag_Types(bigEndian_72f0d887_T_Types()) == + bigEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(HostNone_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + tag_Types(string_Types()) == string_Types_tag() + } + + axiom { + tag_Types(byte_Types()) == byte_Types_tag() + } + + axiom { + tag_Types(Y$8f734176_14a7fb6d__Types()) == + Y$8f734176_14a7fb6d__Types_tag() + } + + axiom { + tag_Types(Raw_daeaf66a_T_Types()) == Raw_daeaf66a_T_Types_tag() + } + + axiom { + comparableType_Types(bigEndian_72f0d887_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(Y$53a71dc3_5c610647__Types()) == + Y$53a71dc3_5c610647__Types_tag() + } + + axiom { + comparableType_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(SCMP_840d9458_T_Types()) == SCMP_840d9458_T_Types_tag() + } + + axiom { + tag_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + SCMPDestinationUnreachable_840d9458_T_Types_tag() + } + + axiom { + tag_Types(EndToEndExtnSkipper_840d9458_T_Types()) == + EndToEndExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(BFD_6416454f_T_Types()) == true + } + + axiom { + tag_Types(SCMPEcho_840d9458_T_Types()) == + SCMPEcho_840d9458_T_Types_tag() + } + + axiom { + tag_Types(UDPAddr_5c610647_T_Types()) == UDPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(Y$60c7bddc_b41831d7__Types()) == false + } + + axiom { + tag_Types(Path_c6e60a1d_T_Types()) == Path_c6e60a1d_T_Types_tag() + } + + axiom { + tag_Types(HostIPv4_cd675838_T_Types()) == + HostIPv4_cd675838_T_Types_tag() + } +} + +domain ShStruct6[T0, T1, T2, T3, T4, T5] { + + function ShStructget1of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T1 + + function ShStructget0of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T0 + + function ShStructrev3of6(v3: T3): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev4of6(v4: T4): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget5of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T5 + + function ShStructget3of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T3 + + function ShStructget2of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T2 + + function ShStructrev0of6(v0: T0): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev2of6(v2: T2): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev1of6(v1: T1): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev5of6(v5: T5): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget4of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T4 + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget3of6(x): T3) } + (ShStructrev3of6((ShStructget3of6(x): T3)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget1of6(x): T1) } + (ShStructrev1of6((ShStructget1of6(x): T1)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5], y: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of6(x): T0) == (ShStructget0of6(y): T0) && + (ShStructget1of6(x): T1) == (ShStructget1of6(y): T1) && + (ShStructget2of6(x): T2) == (ShStructget2of6(y): T2) && + (ShStructget3of6(x): T3) == (ShStructget3of6(y): T3) && + (ShStructget4of6(x): T4) == (ShStructget4of6(y): T4) && + (ShStructget5of6(x): T5) == (ShStructget5of6(y): T5))) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget0of6(x): T0) } + (ShStructrev0of6((ShStructget0of6(x): T0)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget2of6(x): T2) } + (ShStructrev2of6((ShStructget2of6(x): T2)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget5of6(x): T5) } + (ShStructrev5of6((ShStructget5of6(x): T5)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget4of6(x): T4) } + (ShStructrev4of6((ShStructget4of6(x): T4)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraysecond(r: T): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraylen(a: ShArray[T]): Int + + axiom { + (forall a: ShArray[T] :: + { (ShArraylen(a): Int) } + (ShArraylen(a): Int) >= 0) + } + + axiom { + (forall a: ShArray[T], i: Int :: + { (ShArrayloc(a, i): T) } + 0 <= i && i < (ShArraylen(a): Int) ==> + (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && + (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && + (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && + (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && + (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && + (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget4of5(x): T4) } + (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget1of5(x): T1) } + (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget3of5(x): T3) } + (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget2of5(x): T2) } + (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget0of5(x): T0) } + (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget1of4(x): T1) } + (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget3of4(x): T3) } + (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget0of4(x): T0) } + (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && + (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && + (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && + (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget2of4(x): T2) } + (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == + x) + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Emb_3_Intuint8$$$_S_$$$ { + + +} + +domain Tuple0 { + + +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain ComparableInterfaceDomain { + + function comparableInterface(i: Tuple2[Ref, Types]): Bool + + axiom { + (forall i: Tuple2[Ref, Types] :: + { comparableInterface(i) } + comparableType_Types((get1of2(i): Types)) ==> comparableInterface(i)) + } +} + +domain Poly[T] { + + function box_Poly(x: T): Ref + + function unbox_Poly(y: Ref): T + + axiom { + (forall x: T :: + { (box_Poly(x): Ref) } + (unbox_Poly((box_Poly(x): Ref)): T) == x) + } +} + +domain String { + + unique function stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e(): Int + + unique function stringLit5468757273646179(): Int + + unique function stringLit5765646e6573646179(): Int + + unique function stringLit61646472(): Int + + unique function stringLit556e6b6e6f776e4e65787448647254797065(): Int + + unique function stringLit496e76616c6964536f7572636541646472657373(): Int + + unique function stringLit45787465726e616c496e74657266616365446f776e(): Int + + unique function stringLit736f757263652061646472657373206d697373696e67(): Int + + unique function stringLit6970(): Int + + unique function stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e(): Int + + unique function stringLit556e6b6e6f776e486f704279486f704f7074696f6e(): Int + + unique function stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468(): Int + + unique function stringLit44657374696e6174696f6e556e726561636861626c65(): Int + + unique function stringLit62756666657220746f6f2073686f7274(): Int + + unique function stringLit5472616365726f7574655265706c79(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e20(): Int + + unique function stringLit496e76616c6964457874656e73696f6e486561646572(): Int + + unique function stringLit5343494f4e20686561646572206d697373696e67(): Int + + unique function stringLit616464724864724c656e(): Int + + unique function stringLit6d696e696e756d5f6c65677468(): Int + + unique function stringLit4e6f6e65(): Int + + unique function stringLit4f63746f626572(): Int + + unique function stringLit5061746845787069726564(): Int + + unique function stringLit4563686f5265706c79(): Int + + unique function stringLit6864724279746573(): Int + + unique function stringLit496e76616c6964486f704669656c644d4143(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit496e76616c69645365676d656e744368616e6765(): Int + + unique function stringLit5061636b6574546f6f426967(): Int + + unique function stringLit62696e6172792e4c6974746c65456e6469616e(): Int + + unique function stringLit424644(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032(): Int + + unique function stringLit496e76616c69645061636b657453697a65(): Int + + unique function stringLit5472616365726f75746552657175657374(): Int + + unique function stringLit556e6b6e6f776e5061746854797065(): Int + + unique function stringLit257328257329(): Int + + unique function stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e(): Int + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit456e6432456e64(): Int + + unique function stringLit4c6974746c65456e6469616e(): Int + + unique function stringLit4d6179(): Int + + unique function stringLit486f704279486f70(): Int + + unique function stringLit686561646572206c656e6774682065786365656473206d6178696d756d(): Int + + unique function stringLit4a616e75617279(): Int + + unique function stringLit6d6178(): Int + + unique function stringLit417072696c(): Int + + unique function stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564(): Int + + unique function stringLit256428256429(): Int + + unique function stringLit4a756e65(): Int + + unique function stringLit467269646179(): Int + + unique function stringLit506172616d6574657250726f626c656d(): Int + + unique function stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572(): Int + + unique function stringLit53657074656d626572(): Int + + unique function stringLit64657374696e6174696f6e2061646472657373206d697373696e67(): Int + + unique function stringLit496e7465726e616c436f6e6e6563746976697479446f776e(): Int + + unique function stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit426967456e6469616e(): Int + + unique function stringLit417567757374(): Int + + unique function stringLit4665627275617279(): Int + + unique function stringLit446563656d626572(): Int + + unique function stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034(): Int + + unique function stringLit556e6b6e6f776e41646472657373466f726d6174(): Int + + unique function stringLit496e76616c6964436f6d6d6f6e486561646572(): Int + + unique function stringLit6c656e(): Int + + unique function stringLit53756e646179(): Int + + unique function stringLit556e6b6e6f776e5343494f4e56657273696f6e(): Int + + unique function stringLit6d696e696d756d(): Int + + unique function stringLit4e6f6e4c6f63616c44656c6976657279(): Int + + unique function stringLit554e4b4e4f574e2028256429(): Int + + unique function stringLit436d644864724c656e(): Int + + unique function stringLit5361747572646179(): Int + + unique function stringLit6578706563746564(): Int + + unique function stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468(): Int + + unique function stringLit257328436f64653a20256429(): Int + + unique function stringLit6d696e(): Int + + unique function stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(): Int + + unique function stringLit4572726f6e656f75734865616465724669656c64(): Int + + unique function stringLit466c6f7749445265717569726564(): Int + + unique function stringLit4d6f6e646179(): Int + + unique function stringLit4a756c79(): Int + + unique function stringLit756470(): Int + + unique function stringLit4563686f52657175657374(): Int + + unique function stringLit(): Int + + unique function stringLit756e737570706f727465642061646472657373(): Int + + unique function stringLit496e76616c696450617468(): Int + + unique function stringLit54756573646179(): Int + + unique function stringLit544350(): Int + + unique function stringLit4e6f76656d626572(): Int + + unique function stringLit556e6b6e6f776e456e64546f456e644f7074696f6e(): Int + + unique function stringLit74797065(): Int + + unique function stringLit496e76616c696441646472657373486561646572(): Int + + unique function stringLit2573282564295c6e5061796c6f61643a202573(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365(): Int + + unique function stringLit4d61726368(): Int + + unique function stringLit53434d50(): Int + + unique function stringLit4f7074696f6e206e6f7420666f756e64(): Int + + unique function stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573(): Int + + unique function stringLit61637475616c(): Int + + unique function stringLit62696e6172792e426967456e6469616e(): Int + + unique function stringLit554450(): Int + + unique function stringLit496e76616c696444657374696e6174696f6e41646472657373(): Int + + axiom { + strLen(stringLit5061746845787069726564()) == 11 + } + + axiom { + strLen(stringLit74797065()) == 4 + } + + axiom { + strLen(stringLit6578706563746564()) == 8 + } + + axiom { + strLen(stringLit756470()) == 3 + } + + axiom { + strLen(stringLit436d644864724c656e()) == 9 + } + + axiom { + strLen(stringLit62696e6172792e426967456e6469616e()) == 16 + } + + axiom { + strLen(stringLit496e76616c696441646472657373486561646572()) == 20 + } + + axiom { + strLen(stringLit257328436f64653a20256429()) == 12 + } + + axiom { + strLen(stringLit4563686f52657175657374()) == 11 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit686561646572206c656e6774682065786365656473206d6178696d756d()) == + 29 + } + + axiom { + strLen(stringLit496e76616c6964457874656e73696f6e486561646572()) == 22 + } + + axiom { + strLen(stringLit61637475616c()) == 6 + } + + axiom { + strLen(stringLit4d61726368()) == 5 + } + + axiom { + strLen(stringLit62696e6172792e4c6974746c65456e6469616e()) == 19 + } + + axiom { + strLen(stringLit467269646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032()) == + 47 + } + + axiom { + strLen(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c()) == + 28 + } + + axiom { + strLen(stringLit554450()) == 3 + } + + axiom { + strLen(stringLit426967456e6469616e()) == 9 + } + + axiom { + strLen(stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e()) == + 32 + } + + axiom { + strLen(stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572()) == + 47 + } + + axiom { + strLen(stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573()) == + 38 + } + + axiom { + strLen(stringLit4a616e75617279()) == 7 + } + + axiom { + strLen(stringLit4d6179()) == 3 + } + + axiom { + strLen(stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564()) == + 39 + } + + axiom { + strLen(stringLit756e737570706f727465642061646472657373()) == 19 + } + + axiom { + strLen(stringLit4f63746f626572()) == 7 + } + + axiom { + strLen(stringLit44657374696e6174696f6e556e726561636861626c65()) == 22 + } + + axiom { + strLen(stringLit496e7465726e616c436f6e6e6563746976697479446f776e()) == + 24 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365()) == + 30 + } + + axiom { + strLen(stringLit466c6f7749445265717569726564()) == 14 + } + + axiom { + strLen(stringLit4a756c79()) == 4 + } + + axiom { + strLen(stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034()) == + 51 + } + + axiom { + strLen(stringLit424644()) == 3 + } + + axiom { + strLen(stringLit486f704279486f70()) == 8 + } + + axiom { + strLen(stringLit53434d50()) == 4 + } + + axiom { + strLen(stringLit556e6b6e6f776e5061746854797065()) == 15 + } + + axiom { + strLen(stringLit456e6432456e64()) == 7 + } + + axiom { + strLen(stringLit5361747572646179()) == 8 + } + + axiom { + strLen(stringLit496e76616c6964436f6d6d6f6e486561646572()) == 19 + } + + axiom { + strLen(stringLit556e6b6e6f776e5343494f4e56657273696f6e()) == 19 + } + + axiom { + strLen(stringLit446563656d626572()) == 8 + } + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + strLen(stringLit5468757273646179()) == 8 + } + + axiom { + strLen(stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit6970()) == 2 + } + + axiom { + strLen(stringLit62756666657220746f6f2073686f7274()) == 16 + } + + axiom { + strLen(stringLit554e4b4e4f574e2028256429()) == 12 + } + + axiom { + strLen(stringLit5472616365726f7574655265706c79()) == 15 + } + + axiom { + strLen(stringLit64657374696e6174696f6e2061646472657373206d697373696e67()) == + 27 + } + + axiom { + strLen(stringLit256428256429()) == 6 + } + + axiom { + strLen(stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468()) == + 47 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e()) == + 52 + } + + axiom { + strLen(stringLit4563686f5265706c79()) == 9 + } + + axiom { + strLen(stringLit53657074656d626572()) == 9 + } + + axiom { + strLen(stringLit5061636b6574546f6f426967()) == 12 + } + + axiom { + strLen(stringLit496e76616c696450617468()) == 11 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365()) == + 31 + } + + axiom { + strLen(stringLit2573282564295c6e5061796c6f61643a202573()) == 19 + } + + axiom { + strLen(stringLit257328257329()) == 6 + } + + axiom { + strLen(stringLit417072696c()) == 5 + } + + axiom { + strLen(stringLit4665627275617279()) == 8 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e20()) == + 26 + } + + axiom { + strLen(stringLit4f7074696f6e206e6f7420666f756e64()) == 16 + } + + axiom { + strLen(stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468()) == + 55 + } + + axiom { + strLen(stringLit53756e646179()) == 6 + } + + axiom { + strLen(stringLit45787465726e616c496e74657266616365446f776e()) == 21 + } + + axiom { + strLen(stringLit4e6f76656d626572()) == 8 + } + + axiom { + strLen(stringLit556e6b6e6f776e41646472657373466f726d6174()) == 20 + } + + axiom { + strLen(stringLit54756573646179()) == 7 + } + + axiom { + strLen(stringLit4d6f6e646179()) == 6 + } + + axiom { + strLen(stringLit556e6b6e6f776e456e64546f456e644f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit496e76616c696444657374696e6174696f6e41646472657373()) == + 25 + } + + axiom { + strLen(stringLit6d696e()) == 3 + } + + axiom { + strLen(stringLit6d6178()) == 3 + } + + axiom { + strLen(stringLit4e6f6e4c6f63616c44656c6976657279()) == 16 + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704279486f704f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit616464724864724c656e()) == 10 + } + + axiom { + strLen(stringLit5472616365726f75746552657175657374()) == 17 + } + + axiom { + strLen(stringLit496e76616c6964536f7572636541646472657373()) == 20 + } + + axiom { + strLen(stringLit4a756e65()) == 4 + } + + axiom { + strLen(stringLit417567757374()) == 6 + } + + axiom { + strLen(stringLit61646472()) == 4 + } + + axiom { + strLen(stringLit4c6974746c65456e6469616e()) == 12 + } + + axiom { + strLen(stringLit4572726f6e656f75734865616465724669656c64()) == 20 + } + + axiom { + strLen(stringLit4e6f6e65()) == 4 + } + + axiom { + strLen(stringLit6d696e696d756d()) == 7 + } + + axiom { + strLen(stringLit496e76616c69645061636b657453697a65()) == 17 + } + + axiom { + strLen(stringLit736f757263652061646472657373206d697373696e67()) == 22 + } + + axiom { + strLen(stringLit6c656e()) == 3 + } + + axiom { + strLen(stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e()) == + 43 + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit5343494f4e20686561646572206d697373696e67()) == 20 + } + + axiom { + strLen(stringLit496e76616c6964486f704669656c644d4143()) == 18 + } + + axiom { + strLen(stringLit556e6b6e6f776e4e65787448647254797065()) == 18 + } + + axiom { + strLen(stringLit5765646e6573646179()) == 9 + } + + axiom { + strLen(stringLit544350()) == 3 + } + + axiom { + strLen(stringLit6d696e696e756d5f6c65677468()) == 13 + } + + axiom { + strLen(stringLit496e76616c69645365676d656e744368616e6765()) == 20 + } + + axiom { + strLen(stringLit506172616d6574657250726f626c656d()) == 16 + } + + axiom { + strLen(stringLit6864724279746573()) == 8 + } +} + +domain PolyAdditionalAxioms { + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[Ref, Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == Path_4cddb96f_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct0) } + (box_Poly((unbox_Poly(y): ShStruct0)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Int) } + (box_Poly((unbox_Poly(y): Int)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == nilDecodeFeedback_b41831d7_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Slice[Ref]) } + (box_Poly((unbox_Poly(y): Slice[Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref) == + y) + } +} + +field DefinedIP_5c610647_T$$$$_E_$$$: Slice[Ref] + +field Interfaceempty_interface$$$$_E_$$$: Tuple2[Ref, Types] + +field Intbyte$$$$_E_$$$: Int + +field Intint$$$$_E_$$$: Int + +field DefinedHostSVC_cd675838_T$$$$_E_$$$: Int + +field String$$$$_E_$$$: Int + +// decreases _ +function sliceDefault_Intbyte$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_1_Intbyte$$$_S_$$$())) + + +function isIPv6_840d9458_F(a_V0: Tuple2[Ref, Types]): Bool + requires typeOfInterface_Y$53a71dc3_5c610647_(a_V0) == + pointer_Types(IPAddr_5c610647_T_Types()) + requires acc((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$, wildcard) +{ + (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) == + 16 +} + +// decreases +function assertArg2_Int(b: Bool, y: Int): Int + requires b +{ + y +} + +// decreases _ +function arrayNil_1_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function typeOfInterface_Y$53a71dc3_5c610647_(itf: Tuple2[Ref, Types]): Types + ensures result == (get1of2(itf): Types) + ensures behavioral_subtype_Types(result, Y$53a71dc3_5c610647__Types()) + + +function ssliceFromArray_Ref(a: ShArray[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (ShArraylen(a): Int) + ensures (soffset(result): Int) == i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (ShArraylen(a): Int) - i + ensures (sarray(result): ShArray[Ref]) == a + + +// decreases _ +function arrayNil_2_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function ssliceFromSlice_Ref(s: Slice[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (scap(s): Int) + ensures (soffset(result): Int) == (soffset(s): Int) + i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (scap(s): Int) - i + ensures (sarray(result): ShArray[Ref]) == (sarray(s): ShArray[Ref]) + + +function isZeros_5c610647_F(s_V0: Slice[Ref]): Bool + + +// decreases _ +function unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_2_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 2 || + result == arrayNil_2_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +function isIPv4_840d9458_F(a_V0: Tuple2[Ref, Types]): Bool + requires typeOfInterface_Y$53a71dc3_5c610647_(a_V0) == + pointer_Types(IPAddr_5c610647_T_Types()) + requires acc((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$, wildcard) +{ + (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) == + 4 +} + +// decreases _ +function box_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(x: Seq[Tuple2[Ref, Types]]): Emb_2_Interfaceempty_interface$$$$_E_$$$ + requires |x| == 2 + ensures unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + x + + +// decreases _ +function unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(y: Emb_2_Interfaceempty_interface$$$$_E_$$$): Seq[Tuple2[Ref, Types]] + ensures |result| == 2 + ensures box_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(result) == + y + + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +// decreases _ +function box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || x == arrayNil_1_Intbyte$$$_S_$$$() + ensures unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +// decreases _ +function box_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_2_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 2 || + x == arrayNil_2_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +function isConvertibleToIPv4_840d9458_F(a_V0: Tuple2[Ref, Types]): Bool + requires typeOfInterface_Y$53a71dc3_5c610647_(a_V0) == + pointer_Types(IPAddr_5c610647_T_Types()) + requires acc((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$, wildcard) + requires (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, wildcard)) + requires (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) == + 16 +{ + isZeros_5c610647_F(ssliceFromSlice_Ref((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$, + 0, 10)) && + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + 10)): Ref).Intbyte$$$$_E_$$$ == + 255 && + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(a_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(a_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + 11)): Ref).Intbyte$$$$_E_$$$ == + 255 +} + +function isIP_840d9458_F(a_V0: Tuple2[Ref, Types]): Bool +{ + typeOfInterface_Y$53a71dc3_5c610647_(a_V0) == + pointer_Types(IPAddr_5c610647_T_Types()) +} + +// decreases +function assertArg2_ShStruct2_RefRef(b: Bool, y: ShStruct2[Ref, Ref]): ShStruct2[Ref, Ref] + requires b +{ + y +} + +// decreases +function IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf), wildcard) + + +// decreases _ +function unbox_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_1_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_Intbyte$$$_S_$$$() + ensures box_Emb_1_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +function isHostSVC_840d9458_F(a_V0: Tuple2[Ref, Types]): Bool +{ + typeOfInterface_Y$53a71dc3_5c610647_(a_V0) == HostSVC_cd675838_T_Types() +} + +predicate dynamic_pred_8(i: Tuple2[Ref, Types]) { + ((get1of2(i): Types) == pointer_Types(IPAddr_5c610647_T_Types()) ? + (let fn$$0 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])) in + acc((ShStructget0of2(fn$$0): Ref).DefinedIP_5c610647_T$$$$_E_$$$, write) && + acc((ShStructget1of2(fn$$0): Ref).String$$$$_E_$$$, write)) && + (forall i_V1: Int :: + { (ShArrayloc((sarray((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + i_V1)): Ref) } + 0 <= i_V1 && + i_V1 < + (slen((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) ==> + acc((ShArrayloc((sarray((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2((unbox_Poly((get0of2(i): Ref)): ShStruct2[Ref, Ref])): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, write)) : + ((get1of2(i): Types) == pointer_Types(UDPAddr_5c610647_T_Types()) ? + (let fn$$1 == + ((unbox_Poly((get0of2(i): Ref)): ShStruct3[Ref, Ref, Ref])) in + acc((ShStructget0of3(fn$$1): Ref).DefinedIP_5c610647_T$$$$_E_$$$, write) && + acc((ShStructget1of3(fn$$1): Ref).Intint$$$$_E_$$$, write) && + acc((ShStructget2of3(fn$$1): Ref).String$$$$_E_$$$, write)) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[Ref, Ref, Ref])): Ref).DefinedIP_5c610647_T$$$$_E_$$$, + 0, (slen((ShStructget0of3((unbox_Poly((get0of2(i): Ref)): ShStruct3[Ref, Ref, Ref])): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int)), write) : + ((get1of2(i): Types) == HostIPv4_cd675838_T_Types() ? + (slen((unbox_Poly((get0of2(i): Ref)): Slice[Ref])): Int) == 4 && + acc(AbsSlice_Bytes_e630ae22_F((unbox_Poly((get0of2(i): Ref)): Slice[Ref]), + 0, (slen((unbox_Poly((get0of2(i): Ref)): Slice[Ref])): Int)), write) : + ((get1of2(i): Types) == HostIPv6_cd675838_T_Types() ? + (slen((unbox_Poly((get0of2(i): Ref)): Slice[Ref])): Int) == 16 && + acc(AbsSlice_Bytes_e630ae22_F((unbox_Poly((get0of2(i): Ref)): Slice[Ref]), + 0, (slen((unbox_Poly((get0of2(i): Ref)): Slice[Ref])): Int)), write) : + ((get1of2(i): Types) == HostNone_cd675838_T_Types() ? + (slen((unbox_Poly((get0of2(i): Ref)): Slice[Ref])): Int) == 0 : + ((get1of2(i): Types) == HostSVC_cd675838_T_Types() ? + true : + ((get1of2(i): Types) == + pointer_Types(HostSVC_cd675838_T_Types()) ? + acc((get0of2(i): Ref).DefinedHostSVC_cd675838_T$$$$_E_$$$, write) : + acc(dynamic_pred_8_unknown(i), write)))))))) +} + +predicate AbsSlice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int) { + 0 <= start_V0 && start_V0 <= end_V0 && end_V0 <= (scap(s_V0): Int) && + (forall i_V1: Int :: + { (ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), i_V1)): Ref) } + start_V0 <= i_V1 && i_V1 < end_V0 ==> + acc((ShArrayloc((sarray(s_V0): ShArray[Ref]), sadd((soffset(s_V0): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, write)) +} + +predicate ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +predicate dynamic_pred_8_unknown(i: Tuple2[Ref, Types]) + +// decreases _ +method PackWithPad_cd675838_MHostSVC(h_V0: Int, pad_V0: Int) + returns (res_V0: Slice[Ref]) + requires pad_V0 >= 0 + ensures (forall fn$$0: Int :: + { (ShArrayloc((sarray(res_V0): ShArray[Ref]), sadd((soffset(res_V0): Int), + fn$$0)): Ref) } + 0 <= fn$$0 && fn$$0 < (slen(res_V0): Int) ==> + acc((ShArrayloc((sarray(res_V0): ShArray[Ref]), sadd((soffset(res_V0): Int), + fn$$0)): Ref).Intbyte$$$$_E_$$$, write)) + + +// decreases _ +method To4_5c610647_MIP(ip_V0: Slice[Ref], wildcard_V0: Bool) + returns (res_V0: Slice[Ref]) + requires wildcard_V0 ==> + (forall i_V1: Int :: + { (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(ip_V0): Int) ==> + acc((ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, wildcard)) + requires !wildcard_V0 ==> + (forall i_V2: Int :: + { (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V2)): Ref) } + 0 <= i_V2 && i_V2 < (slen(ip_V0): Int) ==> + acc((ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V2)): Ref).Intbyte$$$$_E_$$$, 1 / 4194304)) + ensures wildcard_V0 ==> + (forall i_V1: Int :: + { (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(ip_V0): Int) ==> + acc((ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V1)): Ref).Intbyte$$$$_E_$$$, wildcard)) + ensures !wildcard_V0 ==> + (forall i_V2: Int :: + { (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V2)): Ref) } + 0 <= i_V2 && i_V2 < (slen(ip_V0): Int) ==> + acc((ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + i_V2)): Ref).Intbyte$$$$_E_$$$, 1 / 4194304)) + ensures !(res_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> + (slen(res_V0): Int) == 4 + ensures (slen(ip_V0): Int) == 4 ==> ip_V0 == res_V0 + ensures (slen(ip_V0): Int) == 16 && + isZeros_5c610647_F(ssliceFromSlice_Ref(ip_V0, 0, 10)) && + (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), 10)): Ref).Intbyte$$$$_E_$$$ == + 255 && + (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), 11)): Ref).Intbyte$$$$_E_$$$ == + 255 ==> + !(res_V0 == sliceDefault_Intbyte$$$_S_$$$()) + ensures (slen(ip_V0): Int) == 16 && + !(isZeros_5c610647_F(ssliceFromSlice_Ref(ip_V0, 0, 10)) && + (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), 10)): Ref).Intbyte$$$$_E_$$$ == + 255 && + (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), 11)): Ref).Intbyte$$$$_E_$$$ == + 255) ==> + res_V0 == sliceDefault_Intbyte$$$_S_$$$() + ensures (slen(ip_V0): Int) == 16 && + !(res_V0 == sliceDefault_Intbyte$$$_S_$$$()) ==> + (forall i_V3: Int :: + { (ShArrayloc((sarray(res_V0): ShArray[Ref]), sadd((soffset(res_V0): Int), + i_V3)): Ref) } + 0 <= i_V3 && i_V3 < 4 ==> + (ShArrayloc((sarray(ip_V0): ShArray[Ref]), sadd((soffset(ip_V0): Int), + 12 + i_V3)): Ref) == + (ShArrayloc((sarray(res_V0): ShArray[Ref]), sadd((soffset(res_V0): Int), + i_V3)): Ref)) + ensures !((slen(ip_V0): Int) == 4) && !((slen(ip_V0): Int) == 16) ==> + res_V0 == sliceDefault_Intbyte$$$_S_$$$() + + +// decreases +method packAddr_840d9458_F(hostAddr_V0: Tuple2[Ref, Types], wildcard_V0: Bool) + returns (addrtyp_V0: Int, b_V0: Slice[Ref], err_V0: Tuple2[Ref, Types]) + requires wildcard_V0 ==> acc(dynamic_pred_8(hostAddr_V0), wildcard) + requires !wildcard_V0 ==> acc(dynamic_pred_8(hostAddr_V0), 1 / 2097152) + ensures !wildcard_V0 ==> acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) + ensures hostAddr_V0 == old(hostAddr_V0) + ensures isIP_840d9458_F(hostAddr_V0) ==> + err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + ensures isHostSVC_840d9458_F(hostAddr_V0) ==> + err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) ==> + isIP_840d9458_F(hostAddr_V0) || isHostSVC_840d9458_F(hostAddr_V0) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(err_V0), write) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), wildcard) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + wildcard_V0 && + isHostSVC_840d9458_F(hostAddr_V0) ==> + acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), write) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isHostSVC_840d9458_F(hostAddr_V0) ==> + acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), write) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isHostSVC_840d9458_F(hostAddr_V0) ==> + acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), 1 / 4194304) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + acc(AbsSlice_Bytes_e630ae22_F(b_V0, 0, (slen(b_V0): Int)), 1 / 4194304) --* + acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (isIPv4_840d9458_F(hostAddr_V0) ? + (forall i_V1: Int :: + { (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V1)): Ref) } + (0 <= i_V1 && i_V1 < (slen(b_V0): Int) ? + (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V1)): Ref) == + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + i_V1)): Ref) : + true)) : + true)) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (isIPv6_840d9458_F(hostAddr_V0) && + isConvertibleToIPv4_840d9458_F(hostAddr_V0) ? + (forall i_V2: Int :: + { (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V2)): Ref) } + (0 <= i_V2 && i_V2 < (slen(b_V0): Int) ? + (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V2)): Ref) == + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + 12 + i_V2)): Ref) : + true)) : + true)) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (!isIPv4_840d9458_F(hostAddr_V0) && !isIPv6_840d9458_F(hostAddr_V0) ? + (forall i_V1: Int :: + { (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V1)): Ref) } + (0 <= i_V1 && i_V1 < (slen(b_V0): Int) ? + (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V1)): Ref) == + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + i_V1)): Ref) : + true)) : + true)) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (isIPv6_840d9458_F(hostAddr_V0) && + !isConvertibleToIPv4_840d9458_F(hostAddr_V0) ? + (forall i_V1: Int :: + { (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V1)): Ref) } + (0 <= i_V1 && i_V1 < (slen(b_V0): Int) ? + (ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + i_V1)): Ref) == + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + i_V1)): Ref) : + true)) : + true)) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (isIPv4_840d9458_F(hostAddr_V0) ? + (slen(b_V0): Int) == + (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) : + true)) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (isIPv6_840d9458_F(hostAddr_V0) && + isConvertibleToIPv4_840d9458_F(hostAddr_V0) ? + (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) == + (slen(b_V0): Int) + 12 : + true)) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (!isIPv4_840d9458_F(hostAddr_V0) && !isIPv6_840d9458_F(hostAddr_V0) ? + (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) == + (slen(b_V0): Int) : + true)) + ensures err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) && + !wildcard_V0 && + isIP_840d9458_F(hostAddr_V0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0), 1 / 4194304) in + (isIPv6_840d9458_F(hostAddr_V0) && + !isConvertibleToIPv4_840d9458_F(hostAddr_V0) ? + (slen((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int) == + (slen(b_V0): Int) : + true)) + ensures (err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) == + (typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0) == + pointer_Types(IPAddr_5c610647_T_Types()) || + typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0) == + HostSVC_cd675838_T_Types()) +{ + inhale addrtyp_V0 == 0 + inhale b_V0 == sliceDefault_Intbyte$$$_S_$$$() + inhale err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl hostAddr_V0_CN0: Addr_5c610647_T°°, wildcard_V0_CN1: bool°°, addrtyp_V0_CN2: AddrType_840d9458_T°°, b_V0_CN3: []byte@°°, err_V0_CN4: error_a4af0e5e_T°° + var err_V0_CN4: Tuple2[Ref, Types] + var b_V0_CN3: Slice[Ref] + var addrtyp_V0_CN2: Int + var wildcard_V0_CN1: Bool + var hostAddr_V0_CN0: Tuple2[Ref, Types] + + + + // init hostAddr_V0_CN0 + inhale hostAddr_V0_CN0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // init wildcard_V0_CN1 + inhale wildcard_V0_CN1 == false + + // init addrtyp_V0_CN2 + inhale addrtyp_V0_CN2 == 0 + + // init b_V0_CN3 + inhale b_V0_CN3 == sliceDefault_Intbyte$$$_S_$$$() + + // init err_V0_CN4 + inhale err_V0_CN4 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // hostAddr_V0_CN0 = hostAddr_V0 + hostAddr_V0_CN0 := hostAddr_V0 + + // wildcard_V0_CN1 = wildcard_V0 + wildcard_V0_CN1 := wildcard_V0 + + // decl N37: Addr_5c610647_T°°, N48: []interface{ name is empty_interface }@°°, N49: error_a4af0e5e_T°° + var N49: Tuple2[Ref, Types] + var N48: Slice[Ref] + var N37: Tuple2[Ref, Types] + + // N37 = hostAddr_V0_CN0 + N37 := hostAddr_V0_CN0 + + // N37 = hostAddr_V0_CN0 + N37 := hostAddr_V0_CN0 + + // if(typeOf(N37) == *IPAddr_5c610647_T || false) {...} else {...} + if (typeOfInterface_Y$53a71dc3_5c610647_(N37) == + pointer_Types(IPAddr_5c610647_T_Types()) || + false) { + + // decl a_V3: *IPAddr_5c610647_T@°°, verScionTmp_V6: IP_5c610647_T°° + var verScionTmp_V6: Slice[Ref] + var a_V3: ShStruct2[Ref, Ref] + + // a_V3 = N37.(*IPAddr_5c610647_T@°) + a_V3 := assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(N37), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(N37): Ref)): ShStruct2[Ref, Ref])) + + // if(wildcard_V0_CN1) {...} else {...} + if (wildcard_V0_CN1) { + + // decl + + // unfold acc(hostAddr_V0_CN0.Mem(), _) + unfold acc(dynamic_pred_8(hostAddr_V0_CN0), wildcard) + } else { + + // decl + + // unfold acc(hostAddr_V0_CN0.Mem(), perm(1/4194304)) + unfold acc(dynamic_pred_8(hostAddr_V0_CN0), 1 / 4194304) + } + + // decl N38: IP_5c610647_T°°, ip_V4: IP_5c610647_T°° + var ip_V4: Slice[Ref] + var N38: Slice[Ref] + + // N38 = *a_V3.IPATo4(wildcard_V0_CN1) + N38 := To4_5c610647_MIP((ShStructget0of2(a_V3): Ref).DefinedIP_5c610647_T$$$$_E_$$$, + wildcard_V0_CN1) + + // init ip_V4 + inhale ip_V4 == sliceDefault_Intbyte$$$_S_$$$() + + // ip_V4 = N38 + ip_V4 := N38 + + // if(ip_V4 != (nil:IP_5c610647_T°)) {...} else {...} + if (!(ip_V4 == sliceDefault_Intbyte$$$_S_$$$())) { + + // decl + + // if(!wildcard_V0_CN1 && isIPv6_840d9458_F(toInterface(a_V3))) {...} else {...} + if (!wildcard_V0_CN1 && + isIPv6_840d9458_F((tuple2((box_Poly(a_V3): Ref), pointer_Types(IPAddr_5c610647_T_Types())): Tuple2[Ref, Types]))) { + + // decl + + // assert isConvertibleToIPv4_840d9458_F(hostAddr_V0_CN0) ==> forall i_V5: int° :: { &b_V0_CN3[i_V5] } 0 <= i_V5 && i_V5 < len(b_V0_CN3) ==> &b_V0_CN3[i_V5] == &*a_V3.IPA[12 + i_V5] + assert isConvertibleToIPv4_840d9458_F(hostAddr_V0_CN0) ==> + (forall i_V5: Int :: + { (ShArrayloc((sarray(b_V0_CN3): ShArray[Ref]), sadd((soffset(b_V0_CN3): Int), + i_V5)): Ref) } + 0 <= i_V5 && i_V5 < (slen(b_V0_CN3): Int) ==> + (ShArrayloc((sarray(b_V0_CN3): ShArray[Ref]), sadd((soffset(b_V0_CN3): Int), + i_V5)): Ref) == + (ShArrayloc((sarray((ShStructget0of2(a_V3): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(a_V3): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + 12 + i_V5)): Ref)) + } + + // assert !wildcard_V0_CN1 && isIP_840d9458_F(hostAddr_V0_CN0) ==> unfolding acc(hostAddr_V0_CN0.Mem(), perm(1/4194304)) in isIPv6_840d9458_F(hostAddr_V0_CN0) && isConvertibleToIPv4_840d9458_F(hostAddr_V0_CN0)?forall i_V2: int° :: { &b_V0_CN3[i_V2] } 0 <= i_V2 && i_V2 < len(b_V0_CN3)?&b_V0_CN3[i_V2] == &*hostAddr_V0_CN0.(*IPAddr_5c610647_T@°).IPA[12 + i_V2]:true:true + assert !wildcard_V0_CN1 && isIP_840d9458_F(hostAddr_V0_CN0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0_CN0), 1 / 4194304) in + (isIPv6_840d9458_F(hostAddr_V0_CN0) && + isConvertibleToIPv4_840d9458_F(hostAddr_V0_CN0) ? + (forall i_V2: Int :: + { (ShArrayloc((sarray(b_V0_CN3): ShArray[Ref]), sadd((soffset(b_V0_CN3): Int), + i_V2)): Ref) } + (0 <= i_V2 && i_V2 < (slen(b_V0_CN3): Int) ? + (ShArrayloc((sarray(b_V0_CN3): ShArray[Ref]), sadd((soffset(b_V0_CN3): Int), + i_V2)): Ref) == + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0_CN0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0_CN0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0_CN0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0_CN0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + 12 + i_V2)): Ref) : + true)) : + true)) + + // if(wildcard_V0_CN1) {...} else {...} + if (wildcard_V0_CN1) { + + // decl + + // fold acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, len(ip_V4)), _) + fold acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, (slen(ip_V4): Int)), wildcard) + } else { + + // decl + + // fold acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, len(ip_V4)), perm(1/4194304)) + fold acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, (slen(ip_V4): Int)), 1 / + 4194304) + + // package acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, len(ip_V4)), perm(1/4194304)) --* acc(hostAddr_V0_CN0.Mem(), perm(1/4194304)) + package acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, (slen(ip_V4): Int)), 1 / + 4194304) --* + acc(dynamic_pred_8(hostAddr_V0_CN0), 1 / 4194304) { + + // decl + + // unfold acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, len(ip_V4)), perm(1/4194304)) + unfold acc(AbsSlice_Bytes_e630ae22_F(ip_V4, 0, (slen(ip_V4): Int)), 1 / + 4194304) + + // fold acc(hostAddr_V0_CN0.Mem(), perm(1/4194304)) + fold acc(dynamic_pred_8(hostAddr_V0_CN0), 1 / 4194304) + } + } + + // addrtyp_V0_CN2 = 0 + addrtyp_V0_CN2 := 0 + + // b_V0_CN3 = ip_V4 + b_V0_CN3 := ip_V4 + + // err_V0_CN4 = (nil:error_a4af0e5e_T°) + err_V0_CN4 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // return + goto returnLabel + } + + // assert !wildcard_V0_CN1 && isIP_840d9458_F(hostAddr_V0_CN0) ==> unfolding acc(hostAddr_V0_CN0.Mem(), perm(1/4194304)) in isIPv6_840d9458_F(hostAddr_V0_CN0) && isConvertibleToIPv4_840d9458_F(hostAddr_V0_CN0)?forall i_V2: int° :: { &b_V0_CN3[i_V2] } 0 <= i_V2 && i_V2 < len(b_V0_CN3)?&b_V0_CN3[i_V2] == &*hostAddr_V0_CN0.(*IPAddr_5c610647_T@°).IPA[12 + i_V2]:true:true + assert !wildcard_V0_CN1 && isIP_840d9458_F(hostAddr_V0_CN0) ==> + (unfolding acc(dynamic_pred_8(hostAddr_V0_CN0), 1 / 4194304) in + (isIPv6_840d9458_F(hostAddr_V0_CN0) && + isConvertibleToIPv4_840d9458_F(hostAddr_V0_CN0) ? + (forall i_V2: Int :: + { (ShArrayloc((sarray(b_V0_CN3): ShArray[Ref]), sadd((soffset(b_V0_CN3): Int), + i_V2)): Ref) } + (0 <= i_V2 && i_V2 < (slen(b_V0_CN3): Int) ? + (ShArrayloc((sarray(b_V0_CN3): ShArray[Ref]), sadd((soffset(b_V0_CN3): Int), + i_V2)): Ref) == + (ShArrayloc((sarray((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0_CN0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0_CN0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): ShArray[Ref]), + sadd((soffset((ShStructget0of2(assertArg2_ShStruct2_RefRef(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(hostAddr_V0_CN0), + pointer_Types(IPAddr_5c610647_T_Types())), (unbox_Poly((get0of2(hostAddr_V0_CN0): Ref)): ShStruct2[Ref, Ref]))): Ref).DefinedIP_5c610647_T$$$$_E_$$$): Int), + 12 + i_V2)): Ref) : + true)) : + true)) + + // init verScionTmp_V6 + inhale verScionTmp_V6 == sliceDefault_Intbyte$$$_S_$$$() + + // verScionTmp_V6 = *a_V3.IPA + verScionTmp_V6 := (ShStructget0of2(a_V3): Ref).DefinedIP_5c610647_T$$$$_E_$$$ + + // if(wildcard_V0_CN1) {...} else {...} + if (wildcard_V0_CN1) { + + // decl + + // fold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, len(verScionTmp_V6)), _) + fold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, (slen(verScionTmp_V6): Int)), wildcard) + } else { + + // decl + + // fold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, len(verScionTmp_V6)), perm(1/4194304)) + fold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, (slen(verScionTmp_V6): Int)), 1 / + 4194304) + + // package acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, len(verScionTmp_V6)), perm(1/4194304)) --* acc(hostAddr_V0_CN0.Mem(), perm(1/4194304)) + package acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, (slen(verScionTmp_V6): Int)), 1 / + 4194304) --* + acc(dynamic_pred_8(hostAddr_V0_CN0), 1 / 4194304) { + + // decl + + // unfold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, len(verScionTmp_V6)), perm(1/4194304)) + unfold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V6, 0, (slen(verScionTmp_V6): Int)), 1 / + 4194304) + + // fold acc(hostAddr_V0_CN0.Mem(), perm(1/4194304)) + fold acc(dynamic_pred_8(hostAddr_V0_CN0), 1 / 4194304) + } + } + + // addrtyp_V0_CN2 = 3 + addrtyp_V0_CN2 := 3 + + // b_V0_CN3 = verScionTmp_V6 + b_V0_CN3 := verScionTmp_V6 + + // err_V0_CN4 = (nil:error_a4af0e5e_T°) + err_V0_CN4 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // return + goto returnLabel + } else { + + // if(typeOf(N37) == HostSVC_cd675838_T || false) {...} else {...} + if (typeOfInterface_Y$53a71dc3_5c610647_(N37) == + HostSVC_cd675838_T_Types() || + false) { + + // decl a_V3: HostSVC_cd675838_T°°, N47: []byte@°°, verScionTmp_V7: []byte@°° + var verScionTmp_V7: Slice[Ref] + var N47: Slice[Ref] + var a_V3: Int + + // a_V3 = N37.(HostSVC_cd675838_T°) + a_V3 := assertArg2_Int(behavioral_subtype_Types(typeOfInterface_Y$53a71dc3_5c610647_(N37), + HostSVC_cd675838_T_Types()), (unbox_Poly((get0of2(N37): Ref)): Int)) + + // N47 = a_V3PackWithPad(2) + N47 := PackWithPad_cd675838_MHostSVC(a_V3, 2) + + // init verScionTmp_V7 + inhale verScionTmp_V7 == sliceDefault_Intbyte$$$_S_$$$() + + // verScionTmp_V7 = N47 + verScionTmp_V7 := N47 + + // fold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V7, 0, len(verScionTmp_V7))) + fold acc(AbsSlice_Bytes_e630ae22_F(verScionTmp_V7, 0, (slen(verScionTmp_V7): Int)), write) + + // addrtyp_V0_CN2 = 4 + addrtyp_V0_CN2 := 4 + + // b_V0_CN3 = verScionTmp_V7 + b_V0_CN3 := verScionTmp_V7 + + // err_V0_CN4 = (nil:error_a4af0e5e_T°) + err_V0_CN4 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // return + goto returnLabel + } + } + + // N48 = new([]interface{ name is empty_interface }@ { 0:toInterface("addr"), 1:hostAddr_V0_CN0 }) + var fn$$0: Emb_2_Interfaceempty_interface$$$_S_$$$ + var fn$$2: Emb_2_Interfaceempty_interface$$$_S_$$$ + var fn$$3: Emb_2_Interfaceempty_interface$$$$_E_$$$ + inhale (forall fn$$1: Int :: + { (ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + fn$$1): Ref) } + 0 <= fn$$1 && fn$$1 < 2 ==> + acc((ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + fn$$1): Ref).Interfaceempty_interface$$$$_E_$$$, write)) && + !(fn$$0 == + box_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_2_Interfaceempty_interface$$$_S_$$$())) + fn$$2 := fn$$0 + fn$$3 := box_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(Seq((tuple2((box_Poly(stringLit61646472()): Ref), + string_Types()): Tuple2[Ref, Types]), hostAddr_V0_CN0)) + inhale (forall fn$$4: Int :: + { (ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$2), + fn$$4): Ref) } + { unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$3)[fn$$4] } + 0 <= fn$$4 && fn$$4 < 2 ==> + (ShArrayloc(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$2), + fn$$4): Ref).Interfaceempty_interface$$$$_E_$$$ == + unbox_Emb_2_Interfaceempty_interface$$$$_E_$$$_Seq_Tuple2_RefTypes(fn$$3)[fn$$4]) + N48 := ssliceFromArray_Ref(unbox_Emb_2_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(fn$$0), + 0, 2) + + // N49 = New_bfd5223e_F("unsupported address", N48) + N49 := New_bfd5223e_F(stringLit756e737570706f727465642061646472657373(), N48) + + // addrtyp_V0_CN2 = 0 + addrtyp_V0_CN2 := 0 + + // b_V0_CN3 = (nil:[]byte@°) + b_V0_CN3 := sliceDefault_Intbyte$$$_S_$$$() + + // err_V0_CN4 = N49 + err_V0_CN4 := N49 + + // return + goto returnLabel + label returnLabel + + // addrtyp_V0 = addrtyp_V0_CN2 + addrtyp_V0 := addrtyp_V0_CN2 + + // b_V0 = b_V0_CN3 + b_V0 := b_V0_CN3 + + // err_V0 = err_V0_CN4 + err_V0 := err_V0_CN4 +} + +// decreases _ +method New_bfd5223e_F(msg_V0: Int, errCtx_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0) diff --git a/src/test/resources/biabduction/frontends/gobra/scion_pseudoHeaderChecksum.vpr b/src/test/resources/biabduction/frontends/gobra/scion_pseudoHeaderChecksum.vpr new file mode 100644 index 00000000..87258730 --- /dev/null +++ b/src/test/resources/biabduction/frontends/gobra/scion_pseudoHeaderChecksum.vpr @@ -0,0 +1,3100 @@ +domain ShStruct2[T0, T1] { + + function ShStructget1of2(x: ShStruct2[T0, T1]): T1 + + function ShStructget0of2(x: ShStruct2[T0, T1]): T0 + + function ShStructrev1of2(v1: T1): ShStruct2[T0, T1] + + function ShStructrev0of2(v0: T0): ShStruct2[T0, T1] + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget1of2(x): T1) } + (ShStructrev1of2((ShStructget1of2(x): T1)): ShStruct2[T0, T1]) == x) + } + + axiom { + (forall x: ShStruct2[T0, T1], y: ShStruct2[T0, T1] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of2(x): T0) == (ShStructget0of2(y): T0) && + (ShStructget1of2(x): T1) == (ShStructget1of2(y): T1))) + } + + axiom { + (forall x: ShStruct2[T0, T1] :: + { (ShStructget0of2(x): T0) } + (ShStructrev0of2((ShStructget0of2(x): T0)): ShStruct2[T0, T1]) == x) + } +} + +domain Types { + + function SCMPEcho_840d9458_T_Types(): Types + + unique function Decoded_daeaf66a_T_Types_tag(): Int + + function LayerType_b41831d7_T_Types(): Types + + function Y$558431e4_a6ceb89d__Types(): Types + + unique function SCMPPacketTooBig_840d9458_T_Types_tag(): Int + + function Y$c2e55be_72f0d887__Types(): Types + + unique function Y$35202e5_cd675838__Types_tag(): Int + + unique function Y$17800ab4_b41831d7__Types_tag(): Int + + unique function Path_c6e60a1d_T_Types_tag(): Int + + unique function byte_Types_tag(): Int + + unique function UDPAddr_5c610647_T_Types_tag(): Int + + unique function pointer_Types_tag(): Int + + unique function SCMPEcho_840d9458_T_Types_tag(): Int + + unique function Y$60c7bddc_b41831d7__Types_tag(): Int + + function get_0_pointer_Types(t: Types): Types + + unique function Y$53a71dc3_5c610647__Types_tag(): Int + + function HostSVC_cd675838_T_Types(): Types + + function slice_Types(p0: Types): Types + + function Path_c385169_T_Types(): Types + + function Y$68d3cee9_b41831d7__Types(): Types + + unique function nilDecodeFeedback_b41831d7_T_Types_tag(): Int + + function Y$17800ab4_b41831d7__Types(): Types + + function HostIPv6_cd675838_T_Types(): Types + + function SCMPTraceroute_840d9458_T_Types(): Types + + function Y$8f734176_14a7fb6d__Types(): Types + + function Path_c6e60a1d_T_Types(): Types + + function comparableType_Types(t: Types): Bool + + unique function bigEndian_72f0d887_T_Types_tag(): Int + + function SCION_840d9458_T_Types(): Types + + unique function Y$49c4c25f_d3743b4f__Types_tag(): Int + + function Payload_b41831d7_T_Types(): Types + + unique function HostIPv6_cd675838_T_Types_tag(): Int + + function HostIPv4_cd675838_T_Types(): Types + + function SCMPDestinationUnreachable_840d9458_T_Types(): Types + + unique function AddrType_840d9458_T_Types_tag(): Int + + unique function HostIPv4_cd675838_T_Types_tag(): Int + + unique function BFD_6416454f_T_Types_tag(): Int + + function Y$53a71dc3_5c610647__Types(): Types + + function Path_4cddb96f_T_Types(): Types + + function SCMPTypeCode_840d9458_T_Types(): Types + + unique function EndToEndExtn_840d9458_T_Types_tag(): Int + + unique function L4ProtocolType_840d9458_T_Types_tag(): Int + + unique function SCMPType_840d9458_T_Types_tag(): Int + + function EndToEndExtn_840d9458_T_Types(): Types + + unique function Y$9127f611_b41831d7__Types_tag(): Int + + unique function SCMPDestinationUnreachable_840d9458_T_Types_tag(): Int + + unique function littleEndian_72f0d887_T_Types_tag(): Int + + unique function HopByHopExtnSkipper_840d9458_T_Types_tag(): Int + + unique function Y$8f734176_14a7fb6d__Types_tag(): Int + + unique function Y$febd64e7_b41831d7__Types_tag(): Int + + unique function uint16_Types_tag(): Int + + unique function HostSVC_cd675838_T_Types_tag(): Int + + unique function Raw_daeaf66a_T_Types_tag(): Int + + unique function SCMPTraceroute_840d9458_T_Types_tag(): Int + + unique function IA_cd675838_T_Types_tag(): Int + + unique function SCMPTypeCode_840d9458_T_Types_tag(): Int + + function Decoded_daeaf66a_T_Types(): Types + + unique function Y$558431e4_a6ceb89d__Types_tag(): Int + + function bigEndian_72f0d887_T_Types(): Types + + function string_Types(): Types + + unique function Path_c385169_T_Types_tag(): Int + + function IPAddr_5c610647_T_Types(): Types + + function L4ProtocolType_840d9458_T_Types(): Types + + unique function Y$9c78df5f_b41831d7__Types_tag(): Int + + unique function SCMP_840d9458_T_Types_tag(): Int + + unique function rawPath_a6ceb89d_T_Types_tag(): Int + + unique function Y$68d3cee9_b41831d7__Types_tag(): Int + + function SCMPCode_840d9458_T_Types(): Types + + function Y$b28ae4_ac87dd1d__Types(): Types + + unique function Y$b28ae4_ac87dd1d__Types_tag(): Int + + function SCMP_840d9458_T_Types(): Types + + function pointer_Types(p0: Types): Types + + unique function Path_4cddb96f_T_Types_tag(): Int + + unique function HostNone_cd675838_T_Types_tag(): Int + + unique function Y$6914870a_b41831d7__Types_tag(): Int + + function Y$6914870a_b41831d7__Types(): Types + + function tag_Types(t: Types): Int + + function rawPath_a6ceb89d_T_Types(): Types + + function Y$49c4c25f_d3743b4f__Types(): Types + + function EndToEndExtnSkipper_840d9458_T_Types(): Types + + function int_Types(): Types + + function Y$60c7bddc_b41831d7__Types(): Types + + function uint16_Types(): Types + + function integer_Types(): Types + + unique function Payload_b41831d7_T_Types_tag(): Int + + unique function Y$3191b69e_b41831d7__Types_tag(): Int + + unique function HopByHopExtn_840d9458_T_Types_tag(): Int + + function Y$9127f611_b41831d7__Types(): Types + + function littleEndian_72f0d887_T_Types(): Types + + unique function string_Types_tag(): Int + + function Y$febd64e7_b41831d7__Types(): Types + + unique function SCMPParameterProblem_840d9458_T_Types_tag(): Int + + function IA_cd675838_T_Types(): Types + + function AS_cd675838_T_Types(): Types + + unique function LayerType_b41831d7_T_Types_tag(): Int + + unique function Y$c2e55be_72f0d887__Types_tag(): Int + + unique function slice_Types_tag(): Int + + function SCMPParameterProblem_840d9458_T_Types(): Types + + function nil_Types(): Types + + function BFD_6416454f_T_Types(): Types + + function nilDecodeFeedback_b41831d7_T_Types(): Types + + function Y$3191b69e_b41831d7__Types(): Types + + unique function SCMPInternalConnectivityDown_840d9458_T_Types_tag(): Int + + function Raw_daeaf66a_T_Types(): Types + + function SCMPExternalInterfaceDown_840d9458_T_Types(): Types + + function empty_interface_Types(): Types + + function HostNone_cd675838_T_Types(): Types + + function SCMPInternalConnectivityDown_840d9458_T_Types(): Types + + unique function SCMPExternalInterfaceDown_840d9458_T_Types_tag(): Int + + function HopByHopExtnSkipper_840d9458_T_Types(): Types + + unique function EndToEndExtnSkipper_840d9458_T_Types_tag(): Int + + unique function nil_Types_tag(): Int + + function SCMPPacketTooBig_840d9458_T_Types(): Types + + unique function IPAddr_5c610647_T_Types_tag(): Int + + unique function empty_interface_Types_tag(): Int + + function AddrType_840d9458_T_Types(): Types + + function behavioral_subtype_Types(l: Types, r: Types): Bool + + unique function int_Types_tag(): Int + + function byte_Types(): Types + + function HopByHopExtn_840d9458_T_Types(): Types + + function UDPAddr_5c610647_T_Types(): Types + + function SCMPType_840d9458_T_Types(): Types + + unique function integer_Types_tag(): Int + + unique function SCMPCode_840d9458_T_Types_tag(): Int + + function Y$35202e5_cd675838__Types(): Types + + unique function SCION_840d9458_T_Types_tag(): Int + + function Y$9c78df5f_b41831d7__Types(): Types + + unique function AS_cd675838_T_Types_tag(): Int + + axiom { + tag_Types(string_Types()) == string_Types_tag() + } + + axiom { + tag_Types(HostIPv4_cd675838_T_Types()) == + HostIPv4_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(HostSVC_cd675838_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { slice_Types(p0) } + tag_Types(slice_Types(p0)) == slice_Types_tag()) + } + + axiom { + comparableType_Types(nil_Types()) == true + } + + axiom { + comparableType_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(bigEndian_72f0d887_T_Types()) == + bigEndian_72f0d887_T_Types_tag() + } + + axiom { + comparableType_Types(bigEndian_72f0d887_T_Types()) == true + } + + axiom { + tag_Types(rawPath_a6ceb89d_T_Types()) == rawPath_a6ceb89d_T_Types_tag() + } + + axiom { + tag_Types(EndToEndExtn_840d9458_T_Types()) == + EndToEndExtn_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$35202e5_cd675838__Types()) == false + } + + axiom { + tag_Types(LayerType_b41831d7_T_Types()) == + LayerType_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(Y$68d3cee9_b41831d7__Types()) == + Y$68d3cee9_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(Path_c385169_T_Types()) == true + } + + axiom { + tag_Types(Raw_daeaf66a_T_Types()) == Raw_daeaf66a_T_Types_tag() + } + + axiom { + tag_Types(littleEndian_72f0d887_T_Types()) == + littleEndian_72f0d887_T_Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, a) } + behavioral_subtype_Types(a, a)) + } + + axiom { + comparableType_Types(int_Types()) == true + } + + axiom { + tag_Types(HopByHopExtnSkipper_840d9458_T_Types()) == + HopByHopExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + tag_Types(L4ProtocolType_840d9458_T_Types()) == + L4ProtocolType_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPTypeCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$9c78df5f_b41831d7__Types()) == + Y$9c78df5f_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(integer_Types()) == true + } + + axiom { + comparableType_Types(Y$17800ab4_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(Y$6914870a_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(Y$68d3cee9_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(UDPAddr_5c610647_T_Types()) == true + } + + axiom { + tag_Types(SCMP_840d9458_T_Types()) == SCMP_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPCode_840d9458_T_Types()) == true + } + + axiom { + tag_Types(SCMPPacketTooBig_840d9458_T_Types()) == + SCMPPacketTooBig_840d9458_T_Types_tag() + } + + axiom { + tag_Types(HostSVC_cd675838_T_Types()) == HostSVC_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(HostIPv6_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(Raw_daeaf66a_T_Types()) == true + } + + axiom { + comparableType_Types(Y$60c7bddc_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(rawPath_a6ceb89d_T_Types()) == true + } + + axiom { + comparableType_Types(HopByHopExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$17800ab4_b41831d7__Types()) == + Y$17800ab4_b41831d7__Types_tag() + } + + axiom { + tag_Types(Path_c6e60a1d_T_Types()) == Path_c6e60a1d_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$9127f611_b41831d7__Types()) == + Y$9127f611_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(HopByHopExtn_840d9458_T_Types()) == true + } + + axiom { + (forall p0: Types :: + { pointer_Types(p0) } + tag_Types(pointer_Types(p0)) == pointer_Types_tag()) + } + + axiom { + comparableType_Types(nilDecodeFeedback_b41831d7_T_Types()) == true + } + + axiom { + comparableType_Types(Y$9c78df5f_b41831d7__Types()) == false + } + + axiom { + (forall x0: Types :: + { pointer_Types(x0) } + get_0_pointer_Types(pointer_Types(x0)) == x0) + } + + axiom { + tag_Types(SCMPTypeCode_840d9458_T_Types()) == + SCMPTypeCode_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(SCMPEcho_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(EndToEndExtnSkipper_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$b28ae4_ac87dd1d__Types()) == false + } + + axiom { + comparableType_Types(string_Types()) == true + } + + axiom { + (forall a: Types, b: Types, c: Types :: + { behavioral_subtype_Types(a, b), behavioral_subtype_Types(b, c) } + behavioral_subtype_Types(a, b) && behavioral_subtype_Types(b, c) ==> + behavioral_subtype_Types(a, c)) + } + + axiom { + comparableType_Types(empty_interface_Types()) == false + } + + axiom { + comparableType_Types(Y$c2e55be_72f0d887__Types()) == false + } + + axiom { + comparableType_Types(Y$53a71dc3_5c610647__Types()) == false + } + + axiom { + comparableType_Types(LayerType_b41831d7_T_Types()) == true + } + + axiom { + tag_Types(AS_cd675838_T_Types()) == AS_cd675838_T_Types_tag() + } + + axiom { + tag_Types(Y$febd64e7_b41831d7__Types()) == + Y$febd64e7_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(SCION_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$b28ae4_ac87dd1d__Types()) == Y$b28ae4_ac87dd1d__Types_tag() + } + + axiom { + tag_Types(AddrType_840d9458_T_Types()) == + AddrType_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$49c4c25f_d3743b4f__Types()) == + Y$49c4c25f_d3743b4f__Types_tag() + } + + axiom { + comparableType_Types(AS_cd675838_T_Types()) == true + } + + axiom { + comparableType_Types(SCMPPacketTooBig_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$febd64e7_b41831d7__Types()) == false + } + + axiom { + tag_Types(SCMPEcho_840d9458_T_Types()) == + SCMPEcho_840d9458_T_Types_tag() + } + + axiom { + tag_Types(UDPAddr_5c610647_T_Types()) == UDPAddr_5c610647_T_Types_tag() + } + + axiom { + tag_Types(SCMPParameterProblem_840d9458_T_Types()) == + SCMPParameterProblem_840d9458_T_Types_tag() + } + + axiom { + (forall a: Types :: + { behavioral_subtype_Types(a, empty_interface_Types()) } + behavioral_subtype_Types(a, empty_interface_Types())) + } + + axiom { + tag_Types(Y$558431e4_a6ceb89d__Types()) == + Y$558431e4_a6ceb89d__Types_tag() + } + + axiom { + comparableType_Types(littleEndian_72f0d887_T_Types()) == true + } + + axiom { + tag_Types(EndToEndExtnSkipper_840d9458_T_Types()) == + EndToEndExtnSkipper_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Path_4cddb96f_T_Types()) == Path_4cddb96f_T_Types_tag() + } + + axiom { + comparableType_Types(HostIPv4_cd675838_T_Types()) == false + } + + axiom { + tag_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + SCMPInternalConnectivityDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$60c7bddc_b41831d7__Types()) == + Y$60c7bddc_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(EndToEndExtn_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Payload_b41831d7_T_Types()) == false + } + + axiom { + tag_Types(integer_Types()) == integer_Types_tag() + } + + axiom { + comparableType_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + true + } + + axiom { + tag_Types(SCMPExternalInterfaceDown_840d9458_T_Types()) == + SCMPExternalInterfaceDown_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Y$53a71dc3_5c610647__Types()) == + Y$53a71dc3_5c610647__Types_tag() + } + + axiom { + tag_Types(SCMPType_840d9458_T_Types()) == + SCMPType_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(byte_Types()) == true + } + + axiom { + tag_Types(Y$6914870a_b41831d7__Types()) == + Y$6914870a_b41831d7__Types_tag() + } + + axiom { + tag_Types(BFD_6416454f_T_Types()) == BFD_6416454f_T_Types_tag() + } + + axiom { + comparableType_Types(Decoded_daeaf66a_T_Types()) == true + } + + axiom { + comparableType_Types(IPAddr_5c610647_T_Types()) == true + } + + axiom { + tag_Types(Path_c385169_T_Types()) == Path_c385169_T_Types_tag() + } + + axiom { + tag_Types(HostIPv6_cd675838_T_Types()) == + HostIPv6_cd675838_T_Types_tag() + } + + axiom { + tag_Types(byte_Types()) == byte_Types_tag() + } + + axiom { + comparableType_Types(BFD_6416454f_T_Types()) == true + } + + axiom { + tag_Types(SCMPCode_840d9458_T_Types()) == + SCMPCode_840d9458_T_Types_tag() + } + + axiom { + tag_Types(HopByHopExtn_840d9458_T_Types()) == + HopByHopExtn_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(Y$49c4c25f_d3743b4f__Types()) == false + } + + axiom { + comparableType_Types(Y$3191b69e_b41831d7__Types()) == false + } + + axiom { + comparableType_Types(SCMPParameterProblem_840d9458_T_Types()) == true + } + + axiom { + tag_Types(nil_Types()) == nil_Types_tag() + } + + axiom { + tag_Types(IPAddr_5c610647_T_Types()) == IPAddr_5c610647_T_Types_tag() + } + + axiom { + comparableType_Types(IA_cd675838_T_Types()) == true + } + + axiom { + tag_Types(SCION_840d9458_T_Types()) == SCION_840d9458_T_Types_tag() + } + + axiom { + comparableType_Types(L4ProtocolType_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$8f734176_14a7fb6d__Types()) == + Y$8f734176_14a7fb6d__Types_tag() + } + + axiom { + tag_Types(Payload_b41831d7_T_Types()) == Payload_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(int_Types()) == int_Types_tag() + } + + axiom { + tag_Types(SCMPTraceroute_840d9458_T_Types()) == + SCMPTraceroute_840d9458_T_Types_tag() + } + + axiom { + tag_Types(Decoded_daeaf66a_T_Types()) == Decoded_daeaf66a_T_Types_tag() + } + + axiom { + (forall p0: Types :: + { comparableType_Types(slice_Types(p0)) } + comparableType_Types(slice_Types(p0)) == false) + } + + axiom { + tag_Types(empty_interface_Types()) == empty_interface_Types_tag() + } + + axiom { + tag_Types(Y$3191b69e_b41831d7__Types()) == + Y$3191b69e_b41831d7__Types_tag() + } + + axiom { + comparableType_Types(SCMP_840d9458_T_Types()) == true + } + + axiom { + tag_Types(Y$c2e55be_72f0d887__Types()) == + Y$c2e55be_72f0d887__Types_tag() + } + + axiom { + comparableType_Types(Path_c6e60a1d_T_Types()) == true + } + + axiom { + tag_Types(HostNone_cd675838_T_Types()) == + HostNone_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(Y$8f734176_14a7fb6d__Types()) == false + } + + axiom { + comparableType_Types(SCMPTraceroute_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(Y$558431e4_a6ceb89d__Types()) == false + } + + axiom { + tag_Types(nilDecodeFeedback_b41831d7_T_Types()) == + nilDecodeFeedback_b41831d7_T_Types_tag() + } + + axiom { + tag_Types(uint16_Types()) == uint16_Types_tag() + } + + axiom { + comparableType_Types(SCMPInternalConnectivityDown_840d9458_T_Types()) == + true + } + + axiom { + comparableType_Types(Path_4cddb96f_T_Types()) == true + } + + axiom { + comparableType_Types(AddrType_840d9458_T_Types()) == true + } + + axiom { + comparableType_Types(uint16_Types()) == true + } + + axiom { + tag_Types(Y$35202e5_cd675838__Types()) == + Y$35202e5_cd675838__Types_tag() + } + + axiom { + (forall p0: Types :: + { comparableType_Types(pointer_Types(p0)) } + comparableType_Types(pointer_Types(p0)) == true) + } + + axiom { + tag_Types(SCMPDestinationUnreachable_840d9458_T_Types()) == + SCMPDestinationUnreachable_840d9458_T_Types_tag() + } + + axiom { + tag_Types(IA_cd675838_T_Types()) == IA_cd675838_T_Types_tag() + } + + axiom { + comparableType_Types(HostNone_cd675838_T_Types()) == false + } + + axiom { + comparableType_Types(Y$9127f611_b41831d7__Types()) == false + } +} + +domain Emb_8_Intbyte$$$$_E_$$$ { + + +} + +domain ShStruct1[T0] { + + function ShStructget0of1(x: ShStruct1[T0]): T0 + + function ShStructrev0of1(v0: T0): ShStruct1[T0] + + axiom { + (forall x: ShStruct1[T0] :: + { (ShStructget0of1(x): T0) } + (ShStructrev0of1((ShStructget0of1(x): T0)): ShStruct1[T0]) == x) + } + + axiom { + (forall x: ShStruct1[T0], y: ShStruct1[T0] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of1(x): T0) == (ShStructget0of1(y): T0))) + } +} + +domain ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] { + + function ShStructget4of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T4 + + function ShStructget10of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T10 + + function ShStructrev4of17(v4: T4): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev10of17(v10: T10): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev13of17(v13: T13): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget5of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T5 + + function ShStructrev0of17(v0: T0): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev2of17(v2: T2): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev1of17(v1: T1): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget6of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T6 + + function ShStructrev15of17(v15: T15): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget7of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T7 + + function ShStructrev14of17(v14: T14): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget8of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T8 + + function ShStructrev7of17(v7: T7): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget2of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T2 + + function ShStructget11of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T11 + + function ShStructrev12of17(v12: T12): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev11of17(v11: T11): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget3of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T3 + + function ShStructrev9of17(v9: T9): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev8of17(v8: T8): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev5of17(v5: T5): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev3of17(v3: T3): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget16of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T16 + + function ShStructget14of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T14 + + function ShStructget13of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T13 + + function ShStructrev16of17(v16: T16): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructrev6of17(v6: T6): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] + + function ShStructget9of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T9 + + function ShStructget12of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T12 + + function ShStructget0of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T0 + + function ShStructget1of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T1 + + function ShStructget15of17(x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]): T15 + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget10of17(x): T10) } + (ShStructrev10of17((ShStructget10of17(x): T10)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget1of17(x): T1) } + (ShStructrev1of17((ShStructget1of17(x): T1)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget2of17(x): T2) } + (ShStructrev2of17((ShStructget2of17(x): T2)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget16of17(x): T16) } + (ShStructrev16of17((ShStructget16of17(x): T16)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget8of17(x): T8) } + (ShStructrev8of17((ShStructget8of17(x): T8)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget3of17(x): T3) } + (ShStructrev3of17((ShStructget3of17(x): T3)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget12of17(x): T12) } + (ShStructrev12of17((ShStructget12of17(x): T12)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget7of17(x): T7) } + (ShStructrev7of17((ShStructget7of17(x): T7)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget11of17(x): T11) } + (ShStructrev11of17((ShStructget11of17(x): T11)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16], + y: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of17(x): T0) == (ShStructget0of17(y): T0) && + (ShStructget1of17(x): T1) == (ShStructget1of17(y): T1) && + (ShStructget2of17(x): T2) == (ShStructget2of17(y): T2) && + (ShStructget3of17(x): T3) == (ShStructget3of17(y): T3) && + (ShStructget4of17(x): T4) == (ShStructget4of17(y): T4) && + (ShStructget5of17(x): T5) == (ShStructget5of17(y): T5) && + (ShStructget6of17(x): T6) == (ShStructget6of17(y): T6) && + (ShStructget7of17(x): T7) == (ShStructget7of17(y): T7) && + (ShStructget8of17(x): T8) == (ShStructget8of17(y): T8) && + (ShStructget9of17(x): T9) == (ShStructget9of17(y): T9) && + (ShStructget10of17(x): T10) == (ShStructget10of17(y): T10) && + (ShStructget11of17(x): T11) == (ShStructget11of17(y): T11) && + (ShStructget12of17(x): T12) == (ShStructget12of17(y): T12) && + (ShStructget13of17(x): T13) == (ShStructget13of17(y): T13) && + (ShStructget14of17(x): T14) == (ShStructget14of17(y): T14) && + (ShStructget15of17(x): T15) == (ShStructget15of17(y): T15) && + (ShStructget16of17(x): T16) == (ShStructget16of17(y): T16))) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget5of17(x): T5) } + (ShStructrev5of17((ShStructget5of17(x): T5)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget4of17(x): T4) } + (ShStructrev4of17((ShStructget4of17(x): T4)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget6of17(x): T6) } + (ShStructrev6of17((ShStructget6of17(x): T6)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget15of17(x): T15) } + (ShStructrev15of17((ShStructget15of17(x): T15)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget9of17(x): T9) } + (ShStructrev9of17((ShStructget9of17(x): T9)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget0of17(x): T0) } + (ShStructrev0of17((ShStructget0of17(x): T0)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget14of17(x): T14) } + (ShStructrev14of17((ShStructget14of17(x): T14)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } + + axiom { + (forall x: ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16] :: + { (ShStructget13of17(x): T13) } + (ShStructrev13of17((ShStructget13of17(x): T13)): ShStruct17[T0, T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16]) == + x) + } +} + +domain Emb_6_Intbyte$$$_S_$$$ { + + +} + +domain Emb_1_Interfaceempty_interface$$$_S_$$$ { + + +} + +domain Slice[T] { + + function sarray(s: Slice[T]): ShArray[T] + + function scap(s: Slice[T]): Int + + function soffset(s: Slice[T]): Int + + function smake(a: ShArray[T], o: Int, l: Int, c: Int): Slice[T] + + function slen(s: Slice[T]): Int + + axiom deconstructor_over_constructor_array { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (sarray((smake(a, o, l, c): Slice[T])): ShArray[T]) == a) + } + + axiom { + (forall s: Slice[T] :: + { (soffset(s): Int), (scap(s): Int) } + { (ShArraylen((sarray(s): ShArray[T])): Int) } + (soffset(s): Int) + (scap(s): Int) <= + (ShArraylen((sarray(s): ShArray[T])): Int)) + } + + axiom deconstructor_over_constructor_len { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (slen((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (slen((smake(a, o, l, c): Slice[T])): Int) == l) + } + + axiom { + (forall s: Slice[T] :: { (slen(s): Int) } 0 <= (slen(s): Int)) + } + + axiom { + (forall s: Slice[T] :: + { (slen(s): Int) } + { (scap(s): Int) } + (slen(s): Int) <= (scap(s): Int)) + } + + axiom { + (forall s: Slice[T] :: { (soffset(s): Int) } 0 <= (soffset(s): Int)) + } + + axiom deconstructor_over_constructor_offset { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (soffset((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (soffset((smake(a, o, l, c): Slice[T])): Int) == o) + } + + axiom deconstructor_over_constructor_cap { + (forall a: ShArray[T], o: Int, l: Int, c: Int :: + { (scap((smake(a, o, l, c): Slice[T])): Int) } + 0 <= o && (0 <= l && (l <= c && o + c <= (ShArraylen(a): Int))) ==> + (scap((smake(a, o, l, c): Slice[T])): Int) == c) + } + + axiom { + (forall s: Slice[T] :: + { (sarray(s): ShArray[T]) } + { (soffset(s): Int) } + { (slen(s): Int) } + { (scap(s): Int) } + s == + (smake((sarray(s): ShArray[T]), (soffset(s): Int), (slen(s): Int), (scap(s): Int)): Slice[T])) + } +} + +domain ShStruct6[T0, T1, T2, T3, T4, T5] { + + function ShStructget1of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T1 + + function ShStructget0of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T0 + + function ShStructrev3of6(v3: T3): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev4of6(v4: T4): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget5of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T5 + + function ShStructget3of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T3 + + function ShStructget2of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T2 + + function ShStructrev0of6(v0: T0): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev2of6(v2: T2): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev1of6(v1: T1): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructrev5of6(v5: T5): ShStruct6[T0, T1, T2, T3, T4, T5] + + function ShStructget4of6(x: ShStruct6[T0, T1, T2, T3, T4, T5]): T4 + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget3of6(x): T3) } + (ShStructrev3of6((ShStructget3of6(x): T3)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget1of6(x): T1) } + (ShStructrev1of6((ShStructget1of6(x): T1)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5], y: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of6(x): T0) == (ShStructget0of6(y): T0) && + (ShStructget1of6(x): T1) == (ShStructget1of6(y): T1) && + (ShStructget2of6(x): T2) == (ShStructget2of6(y): T2) && + (ShStructget3of6(x): T3) == (ShStructget3of6(y): T3) && + (ShStructget4of6(x): T4) == (ShStructget4of6(y): T4) && + (ShStructget5of6(x): T5) == (ShStructget5of6(y): T5))) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget0of6(x): T0) } + (ShStructrev0of6((ShStructget0of6(x): T0)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget2of6(x): T2) } + (ShStructrev2of6((ShStructget2of6(x): T2)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget5of6(x): T5) } + (ShStructrev5of6((ShStructget5of6(x): T5)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } + + axiom { + (forall x: ShStruct6[T0, T1, T2, T3, T4, T5] :: + { (ShStructget4of6(x): T4) } + (ShStructrev4of6((ShStructget4of6(x): T4)): ShStruct6[T0, T1, T2, T3, T4, T5]) == + x) + } +} + +domain ShArray[T] { + + function ShArrayloc(a: ShArray[T], i: Int): T + + function ShArraysecond(r: T): Int + + function ShArrayfirst(r: T): ShArray[T] + + function ShArraylen(a: ShArray[T]): Int + + axiom { + (forall a: ShArray[T] :: + { (ShArraylen(a): Int) } + (ShArraylen(a): Int) >= 0) + } + + axiom { + (forall a: ShArray[T], i: Int :: + { (ShArrayloc(a, i): T) } + 0 <= i && i < (ShArraylen(a): Int) ==> + (ShArrayfirst((ShArrayloc(a, i): T)): ShArray[T]) == a && + (ShArraysecond((ShArrayloc(a, i): T)): Int) == i) + } +} + +domain ShStruct0 { + + axiom { + (forall x: ShStruct0, y: ShStruct0 :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == true) + } +} + +domain Emb_8_Intbyte$$$_S_$$$ { + + +} + +domain ShStruct5[T0, T1, T2, T3, T4] { + + function ShStructget4of5(x: ShStruct5[T0, T1, T2, T3, T4]): T4 + + function ShStructget0of5(x: ShStruct5[T0, T1, T2, T3, T4]): T0 + + function ShStructrev3of5(v3: T3): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev1of5(v1: T1): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructrev4of5(v4: T4): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget1of5(x: ShStruct5[T0, T1, T2, T3, T4]): T1 + + function ShStructrev2of5(v2: T2): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget3of5(x: ShStruct5[T0, T1, T2, T3, T4]): T3 + + function ShStructrev0of5(v0: T0): ShStruct5[T0, T1, T2, T3, T4] + + function ShStructget2of5(x: ShStruct5[T0, T1, T2, T3, T4]): T2 + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4], y: ShStruct5[T0, T1, T2, T3, T4] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of5(x): T0) == (ShStructget0of5(y): T0) && + (ShStructget1of5(x): T1) == (ShStructget1of5(y): T1) && + (ShStructget2of5(x): T2) == (ShStructget2of5(y): T2) && + (ShStructget3of5(x): T3) == (ShStructget3of5(y): T3) && + (ShStructget4of5(x): T4) == (ShStructget4of5(y): T4))) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget4of5(x): T4) } + (ShStructrev4of5((ShStructget4of5(x): T4)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget1of5(x): T1) } + (ShStructrev1of5((ShStructget1of5(x): T1)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget3of5(x): T3) } + (ShStructrev3of5((ShStructget3of5(x): T3)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget2of5(x): T2) } + (ShStructrev2of5((ShStructget2of5(x): T2)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } + + axiom { + (forall x: ShStruct5[T0, T1, T2, T3, T4] :: + { (ShStructget0of5(x): T0) } + (ShStructrev0of5((ShStructget0of5(x): T0)): ShStruct5[T0, T1, T2, T3, T4]) == + x) + } +} + +domain Tuple2[T0, T1] { + + function tuple2(t0: T0, t1: T1): Tuple2[T0, T1] + + function get0of2(p: Tuple2[T0, T1]): T0 + + function get1of2(p: Tuple2[T0, T1]): T1 + + axiom getter_over_tuple2 { + (forall t0: T0, t1: T1 :: + { (tuple2(t0, t1): Tuple2[T0, T1]) } + (get0of2((tuple2(t0, t1): Tuple2[T0, T1])): T0) == t0 && + (get1of2((tuple2(t0, t1): Tuple2[T0, T1])): T1) == t1) + } + + axiom tuple2_over_getter { + (forall p: Tuple2[T0, T1] :: + { (get0of2(p): T0) } + { (get1of2(p): T1) } + (tuple2((get0of2(p): T0), (get1of2(p): T1)): Tuple2[T0, T1]) == p) + } +} + +domain ShStruct4[T0, T1, T2, T3] { + + function ShStructrev1of4(v1: T1): ShStruct4[T0, T1, T2, T3] + + function ShStructget0of4(x: ShStruct4[T0, T1, T2, T3]): T0 + + function ShStructget2of4(x: ShStruct4[T0, T1, T2, T3]): T2 + + function ShStructget3of4(x: ShStruct4[T0, T1, T2, T3]): T3 + + function ShStructrev3of4(v3: T3): ShStruct4[T0, T1, T2, T3] + + function ShStructrev2of4(v2: T2): ShStruct4[T0, T1, T2, T3] + + function ShStructget1of4(x: ShStruct4[T0, T1, T2, T3]): T1 + + function ShStructrev0of4(v0: T0): ShStruct4[T0, T1, T2, T3] + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget1of4(x): T1) } + (ShStructrev1of4((ShStructget1of4(x): T1)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget3of4(x): T3) } + (ShStructrev3of4((ShStructget3of4(x): T3)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget0of4(x): T0) } + (ShStructrev0of4((ShStructget0of4(x): T0)): ShStruct4[T0, T1, T2, T3]) == + x) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3], y: ShStruct4[T0, T1, T2, T3] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of4(x): T0) == (ShStructget0of4(y): T0) && + (ShStructget1of4(x): T1) == (ShStructget1of4(y): T1) && + (ShStructget2of4(x): T2) == (ShStructget2of4(y): T2) && + (ShStructget3of4(x): T3) == (ShStructget3of4(y): T3))) + } + + axiom { + (forall x: ShStruct4[T0, T1, T2, T3] :: + { (ShStructget2of4(x): T2) } + (ShStructrev2of4((ShStructget2of4(x): T2)): ShStruct4[T0, T1, T2, T3]) == + x) + } +} + +domain ShStruct3[T0, T1, T2] { + + function ShStructget2of3(x: ShStruct3[T0, T1, T2]): T2 + + function ShStructrev1of3(v1: T1): ShStruct3[T0, T1, T2] + + function ShStructrev2of3(v2: T2): ShStruct3[T0, T1, T2] + + function ShStructget0of3(x: ShStruct3[T0, T1, T2]): T0 + + function ShStructget1of3(x: ShStruct3[T0, T1, T2]): T1 + + function ShStructrev0of3(v0: T0): ShStruct3[T0, T1, T2] + + axiom { + (forall x: ShStruct3[T0, T1, T2], y: ShStruct3[T0, T1, T2] :: + { (eq(x, y): Bool) } + (eq(x, y): Bool) == + ((ShStructget0of3(x): T0) == (ShStructget0of3(y): T0) && + (ShStructget1of3(x): T1) == (ShStructget1of3(y): T1) && + (ShStructget2of3(x): T2) == (ShStructget2of3(y): T2))) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget1of3(x): T1) } + (ShStructrev1of3((ShStructget1of3(x): T1)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget0of3(x): T0) } + (ShStructrev0of3((ShStructget0of3(x): T0)): ShStruct3[T0, T1, T2]) == + x) + } + + axiom { + (forall x: ShStruct3[T0, T1, T2] :: + { (ShStructget2of3(x): T2) } + (ShStructrev2of3((ShStructget2of3(x): T2)): ShStruct3[T0, T1, T2]) == + x) + } +} + +domain Emb_3_Intuint8$$$_S_$$$ { + + +} + +domain Tuple0 { + + +} + +domain Equality[T] { + + function eq(l: T, r: T): Bool + + axiom { + (forall l: T, r: T :: + { (eq(l, r): Bool) } + (eq(l, r): Bool) == (l == r)) + } +} + +domain ComparableInterfaceDomain { + + function comparableInterface(i: Tuple2[Ref, Types]): Bool + + axiom { + (forall i: Tuple2[Ref, Types] :: + { comparableInterface(i) } + comparableType_Types((get1of2(i): Types)) ==> comparableInterface(i)) + } +} + +domain WellFoundedOrder[T] { + + function decreasing(arg1: T, arg2: T): Bool + + function bounded(arg1: T): Bool +} + +domain Poly[T] { + + function box_Poly(x: T): Ref + + function unbox_Poly(y: Ref): T + + axiom { + (forall x: T :: + { (box_Poly(x): Ref) } + (unbox_Poly((box_Poly(x): Ref)): T) == x) + } +} + +domain String { + + unique function stringLit61646472(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e(): Int + + unique function stringLit5468757273646179(): Int + + unique function stringLit5765646e6573646179(): Int + + unique function stringLit496e76616c6964536f7572636541646472657373(): Int + + unique function stringLit45787465726e616c496e74657266616365446f776e(): Int + + unique function stringLit556e6b6e6f776e4e65787448647254797065(): Int + + unique function stringLit736f757263652061646472657373206d697373696e67(): Int + + unique function stringLit6970(): Int + + unique function stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e(): Int + + unique function stringLit556e6b6e6f776e486f704279486f704f7074696f6e(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e20(): Int + + unique function stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468(): Int + + unique function stringLit44657374696e6174696f6e556e726561636861626c65(): Int + + unique function stringLit62756666657220746f6f2073686f7274(): Int + + unique function stringLit5472616365726f7574655265706c79(): Int + + unique function stringLit496e76616c6964457874656e73696f6e486561646572(): Int + + unique function stringLit5343494f4e20686561646572206d697373696e67(): Int + + unique function stringLit616464724864724c656e(): Int + + unique function stringLit4e6f6e65(): Int + + unique function stringLit6d696e696e756d5f6c65677468(): Int + + unique function stringLit5061746845787069726564(): Int + + unique function stringLit4563686f5265706c79(): Int + + unique function stringLit4f63746f626572(): Int + + unique function stringLit6864724279746573(): Int + + unique function stringLit496e76616c6964486f704669656c644d4143(): Int + + unique function stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit496e76616c69645365676d656e744368616e6765(): Int + + unique function stringLit5061636b6574546f6f426967(): Int + + unique function stringLit62696e6172792e4c6974746c65456e6469616e(): Int + + unique function stringLit424644(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365(): Int + + unique function stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032(): Int + + unique function stringLit496e76616c69645061636b657453697a65(): Int + + unique function stringLit5472616365726f75746552657175657374(): Int + + unique function stringLit556e6b6e6f776e5061746854797065(): Int + + unique function stringLit257328257329(): Int + + unique function stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e(): Int + + function strLen(id: Int): Int + + function strConcat(l: Int, r: Int): Int + + unique function stringLit456e6432456e64(): Int + + unique function stringLit4c6974746c65456e6469616e(): Int + + unique function stringLit4d6179(): Int + + unique function stringLit486f704279486f70(): Int + + unique function stringLit686561646572206c656e6774682065786365656473206d6178696d756d(): Int + + unique function stringLit6d6178(): Int + + unique function stringLit4a616e75617279(): Int + + unique function stringLit417072696c(): Int + + unique function stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564(): Int + + unique function stringLit256428256429(): Int + + unique function stringLit4a756e65(): Int + + unique function stringLit467269646179(): Int + + unique function stringLit506172616d6574657250726f626c656d(): Int + + unique function stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572(): Int + + unique function stringLit53657074656d626572(): Int + + unique function stringLit64657374696e6174696f6e2061646472657373206d697373696e67(): Int + + unique function stringLit496e7465726e616c436f6e6e6563746976697479446f776e(): Int + + unique function stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564(): Int + + unique function stringLit426967456e6469616e(): Int + + unique function stringLit417567757374(): Int + + unique function stringLit4665627275617279(): Int + + unique function stringLit446563656d626572(): Int + + unique function stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034(): Int + + unique function stringLit556e6b6e6f776e41646472657373466f726d6174(): Int + + unique function stringLit496e76616c6964436f6d6d6f6e486561646572(): Int + + unique function stringLit6c656e(): Int + + unique function stringLit53756e646179(): Int + + unique function stringLit556e6b6e6f776e5343494f4e56657273696f6e(): Int + + unique function stringLit6d696e696d756d(): Int + + unique function stringLit4e6f6e4c6f63616c44656c6976657279(): Int + + unique function stringLit554e4b4e4f574e2028256429(): Int + + unique function stringLit5361747572646179(): Int + + unique function stringLit6578706563746564(): Int + + unique function stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468(): Int + + unique function stringLit257328436f64653a20256429(): Int + + unique function stringLit6d696e(): Int + + unique function stringLit436d644864724c656e(): Int + + unique function stringLit70726f76696465642062756666657220697320746f6f20736d616c6c(): Int + + unique function stringLit4572726f6e656f75734865616465724669656c64(): Int + + unique function stringLit466c6f7749445265717569726564(): Int + + unique function stringLit4d6f6e646179(): Int + + unique function stringLit4a756c79(): Int + + unique function stringLit756470(): Int + + unique function stringLit4563686f52657175657374(): Int + + unique function stringLit(): Int + + unique function stringLit496e76616c696450617468(): Int + + unique function stringLit54756573646179(): Int + + unique function stringLit756e737570706f727465642061646472657373(): Int + + unique function stringLit544350(): Int + + unique function stringLit4e6f76656d626572(): Int + + unique function stringLit556e6b6e6f776e456e64546f456e644f7074696f6e(): Int + + unique function stringLit74797065(): Int + + unique function stringLit2573282564295c6e5061796c6f61643a202573(): Int + + unique function stringLit496e76616c696441646472657373486561646572(): Int + + unique function stringLit53434d50(): Int + + unique function stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365(): Int + + unique function stringLit4d61726368(): Int + + unique function stringLit4f7074696f6e206e6f7420666f756e64(): Int + + unique function stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573(): Int + + unique function stringLit62696e6172792e426967456e6469616e(): Int + + unique function stringLit554450(): Int + + unique function stringLit496e76616c696444657374696e6174696f6e41646472657373(): Int + + unique function stringLit61637475616c(): Int + + axiom { + strLen(stringLit5061746845787069726564()) == 11 + } + + axiom { + strLen(stringLit74797065()) == 4 + } + + axiom { + strLen(stringLit6578706563746564()) == 8 + } + + axiom { + strLen(stringLit756470()) == 3 + } + + axiom { + strLen(stringLit436d644864724c656e()) == 9 + } + + axiom { + strLen(stringLit62696e6172792e426967456e6469616e()) == 16 + } + + axiom { + strLen(stringLit496e76616c696441646472657373486561646572()) == 20 + } + + axiom { + strLen(stringLit257328436f64653a20256429()) == 12 + } + + axiom { + strLen(stringLit4563686f52657175657374()) == 11 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit686561646572206c656e6774682065786365656473206d6178696d756d()) == + 29 + } + + axiom { + strLen(stringLit496e76616c6964457874656e73696f6e486561646572()) == 22 + } + + axiom { + strLen(stringLit61637475616c()) == 6 + } + + axiom { + strLen(stringLit62696e6172792e4c6974746c65456e6469616e()) == 19 + } + + axiom { + strLen(stringLit467269646179()) == 6 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e204c656e677468202564206c657373207468616e2032()) == + 47 + } + + axiom { + strLen(stringLit4d61726368()) == 5 + } + + axiom { + strLen(stringLit70726f76696465642062756666657220697320746f6f20736d616c6c()) == + 28 + } + + axiom { + strLen(stringLit554450()) == 3 + } + + axiom { + strLen(stringLit426967456e6469616e()) == 9 + } + + axiom { + strLen(stringLit696e76616c6964206865616465722c206e6567617469766520706174684c656e()) == + 32 + } + + axiom { + strLen(stringLit63616e206e6f742063616c63756c61746520636865636b73756d20776974686f7574205343494f4e20686561646572()) == + 47 + } + + axiom { + strLen(stringLit53434d50206c61796572206c656e677468206973206c657373207468656e2034206279746573()) == + 38 + } + + axiom { + strLen(stringLit4a616e75617279()) == 7 + } + + axiom { + strLen(stringLit4d6179()) == 3 + } + + axiom { + strLen(stringLit4c656e677468202564206c657373207468616e20737065636966696564206c656e677468202564()) == + 39 + } + + axiom { + strLen(stringLit756e737570706f727465642061646472657373()) == 19 + } + + axiom { + strLen(stringLit4f63746f626572()) == 7 + } + + axiom { + strLen(stringLit44657374696e6174696f6e556e726561636861626c65()) == 22 + } + + axiom { + strLen(stringLit496e7465726e616c436f6e6e6563746976697479446f776e()) == + 24 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64456772657373496e74657266616365()) == + 30 + } + + axiom { + strLen(stringLit466c6f7749445265717569726564()) == 14 + } + + axiom { + strLen(stringLit4a756c79()) == 4 + } + + axiom { + strLen(stringLit5343494f4e20657874656e73696f6e2061637475616c206c656e677468206d757374206265206d756c7469706c65206f662034()) == + 51 + } + + axiom { + strLen(stringLit424644()) == 3 + } + + axiom { + strLen(stringLit486f704279486f70()) == 8 + } + + axiom { + strLen(stringLit556e6b6e6f776e5061746854797065()) == 15 + } + + axiom { + strLen(stringLit456e6432456e64()) == 7 + } + + axiom { + strLen(stringLit53434d50()) == 4 + } + + axiom { + strLen(stringLit5361747572646179()) == 8 + } + + axiom { + strLen(stringLit496e76616c6964436f6d6d6f6e486561646572()) == 19 + } + + axiom { + strLen(stringLit556e6b6e6f776e5343494f4e56657273696f6e()) == 19 + } + + axiom { + (forall l: Int, r: Int :: + { strLen(strConcat(l, r)) } + strLen(strConcat(l, r)) == strLen(l) + strLen(r)) + } + + axiom { + strLen(stringLit446563656d626572()) == 8 + } + + axiom { + strLen(stringLit5468757273646179()) == 8 + } + + axiom { + strLen(stringLit68626820657874656e73696f6e206d757374206e6f74206265207265706561746564()) == + 34 + } + + axiom { + strLen(stringLit62756666657220746f6f2073686f7274()) == 16 + } + + axiom { + strLen(stringLit554e4b4e4f574e2028256429()) == 12 + } + + axiom { + strLen(stringLit6970()) == 2 + } + + axiom { + strLen(stringLit5472616365726f7574655265706c79()) == 15 + } + + axiom { + strLen(stringLit64657374696e6174696f6e2061646472657373206d697373696e67()) == + 27 + } + + axiom { + strLen(stringLit256428256429()) == 6 + } + + axiom { + strLen(stringLit7061636b65742069732073686f72746572207468616e2074686520636f6d6d6f6e20686561646572206c656e677468()) == + 47 + } + + axiom { + strLen(stringLit53657074656d626572()) == 9 + } + + axiom { + strLen(stringLit4563686f5265706c79()) == 9 + } + + axiom { + strLen(stringLit65326520657874656e73696f6e206d757374206e6f7420636f6d65206265666f7265207468652048424820657874656e73696f6e()) == + 52 + } + + axiom { + strLen(stringLit5061636b6574546f6f426967()) == 12 + } + + axiom { + strLen(stringLit496e76616c696450617468()) == 11 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704669656c64496e6772657373496e74657266616365()) == + 31 + } + + axiom { + strLen(stringLit2573282564295c6e5061796c6f61643a202573()) == 19 + } + + axiom { + strLen(stringLit257328257329()) == 6 + } + + axiom { + strLen(stringLit417072696c()) == 5 + } + + axiom { + strLen(stringLit4665627275617279()) == 8 + } + + axiom { + strLen(stringLit696e76616c696420657874656e73696f6e206865616465722e20()) == + 26 + } + + axiom { + strLen(stringLit4f7074696f6e206e6f7420666f756e64()) == 16 + } + + axiom { + strLen(stringLit686561646572206c656e677468206973206e6f7420616e20696e7465676572206d756c7469706c65206f66206c696e65206c656e677468()) == + 55 + } + + axiom { + strLen(stringLit53756e646179()) == 6 + } + + axiom { + strLen(stringLit45787465726e616c496e74657266616365446f776e()) == 21 + } + + axiom { + strLen(stringLit4e6f76656d626572()) == 8 + } + + axiom { + strLen(stringLit556e6b6e6f776e41646472657373466f726d6174()) == 20 + } + + axiom { + strLen(stringLit54756573646179()) == 7 + } + + axiom { + strLen(stringLit4d6f6e646179()) == 6 + } + + axiom { + strLen(stringLit556e6b6e6f776e456e64546f456e644f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit6d696e()) == 3 + } + + axiom { + strLen(stringLit6d6178()) == 3 + } + + axiom { + strLen(stringLit496e76616c696444657374696e6174696f6e41646472657373()) == + 25 + } + + axiom { + strLen(stringLit616464724864724c656e()) == 10 + } + + axiom { + strLen(stringLit4e6f6e4c6f63616c44656c6976657279()) == 16 + } + + axiom { + strLen(stringLit5472616365726f75746552657175657374()) == 17 + } + + axiom { + strLen(stringLit()) == 0 + } + + axiom { + strLen(stringLit556e6b6e6f776e486f704279486f704f7074696f6e()) == 21 + } + + axiom { + strLen(stringLit496e76616c6964536f7572636541646472657373()) == 20 + } + + axiom { + strLen(stringLit4572726f6e656f75734865616465724669656c64()) == 20 + } + + axiom { + strLen(stringLit4a756e65()) == 4 + } + + axiom { + strLen(stringLit417567757374()) == 6 + } + + axiom { + strLen(stringLit61646472()) == 4 + } + + axiom { + strLen(stringLit4c6974746c65456e6469616e()) == 12 + } + + axiom { + strLen(stringLit4e6f6e65()) == 4 + } + + axiom { + strLen(stringLit6d696e696d756d()) == 7 + } + + axiom { + strLen(stringLit496e76616c69645061636b657453697a65()) == 17 + } + + axiom { + strLen(stringLit736f757263652061646472657373206d697373696e67()) == 22 + } + + axiom { + strLen(stringLit6c656e()) == 3 + } + + axiom { + strLen(stringLit756e737570706f72746564206164647265737320747970652f6c656e67746820636f6d62696e6174696f6e()) == + 43 + } + + axiom { + (forall str: Int :: { strLen(str) } 0 <= strLen(str)) + } + + axiom { + strLen(stringLit5343494f4e20686561646572206d697373696e67()) == 20 + } + + axiom { + strLen(stringLit496e76616c6964486f704669656c644d4143()) == 18 + } + + axiom { + strLen(stringLit556e6b6e6f776e4e65787448647254797065()) == 18 + } + + axiom { + strLen(stringLit5765646e6573646179()) == 9 + } + + axiom { + strLen(stringLit544350()) == 3 + } + + axiom { + strLen(stringLit6d696e696e756d5f6c65677468()) == 13 + } + + axiom { + strLen(stringLit496e76616c69645365676d656e744368616e6765()) == 20 + } + + axiom { + strLen(stringLit506172616d6574657250726f626c656d()) == 16 + } + + axiom { + strLen(stringLit6864724279746573()) == 8 + } +} + +domain PolyAdditionalAxioms { + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == nilDecodeFeedback_b41831d7_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct4[Ref, Ref, Ref, Ref], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$], ShStruct6[Ref, Ref, Ref, Ref, Ref, Emb_6_Intbyte$$$_S_$$$]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct3[ShStruct3[Ref, Ref, Emb_3_Intuint8$$$_S_$$$], Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct2[Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct0) } + (box_Poly((unbox_Poly(y): ShStruct0)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct5[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Slice[Ref]) } + (box_Poly((unbox_Poly(y): Slice[Ref])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[ShStruct2[Ref, Ref], Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct2[Ref, Ref]])): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): Int) } + (box_Poly((unbox_Poly(y): Int)): Ref) == y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[Ref, Ref])): Ref) == y) + } + + axiom { + (forall y: Tuple2[Ref, Types] :: + { (unbox_Poly((get0of2(y): Ref)): Tuple0) } + (get1of2(y): Types) == Path_4cddb96f_T_Types() ==> + (box_Poly((unbox_Poly((get0of2(y): Ref)): Tuple0)): Ref) == + (get0of2(y): Ref)) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref]) } + (box_Poly((unbox_Poly(y): ShStruct2[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref], Ref])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]]) } + (box_Poly((unbox_Poly(y): ShStruct1[ShStruct4[ShStruct2[Ref, Ref], Ref, Ref, Ref]])): Ref) == + y) + } + + axiom { + (forall y: Ref :: + { (unbox_Poly(y): ShStruct3[Ref, Ref, Ref]) } + (box_Poly((unbox_Poly(y): ShStruct3[Ref, Ref, Ref])): Ref) == y) + } +} + +domain IntWellFoundedOrder { + + axiom integer_ax_bound { + (forall int1: Int :: + { (bounded(int1): Bool) } + int1 >= 0 ==> (bounded(int1): Bool)) + } + + axiom integer_ax_dec { + (forall int1: Int, int2: Int :: + { (decreasing(int1, int2): Bool) } + int1 < int2 ==> (decreasing(int1, int2): Bool)) + } +} + +field SliceIntbyte$$$_S_$$$$$$$_E_$$$: Slice[Ref] + +field Interfaceempty_interface$$$$_E_$$$: Tuple2[Ref, Types] + +field DefinedIA_cd675838_T$$$$_E_$$$: Int + +field Intbyte$$$$_E_$$$: Int + +// decreases _ +function unbox_Emb_1_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(y: Emb_1_Interfaceempty_interface$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 || + result == arrayNil_1_Interfaceempty_interface$$$_S_$$$() + ensures box_Emb_1_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + y + + +// decreases _ +function intBitwiseAnd(left: Int, right: Int): Int + + +// decreases _ +function shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$(): ShStruct2[Ref, Ref] + ensures (ShStructget0of2(result): Ref) == null && + (ShStructget1of2(result): Ref) == null + + +// decreases _ +function intShiftLeft(left: Int, right: Int): Int + requires right >= 0 + + +// decreases _ +function arrayNil_1_Interfaceempty_interface$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +// decreases _ +function intShiftRight(left: Int, right: Int): Int + requires right >= 0 + + +function arrayDefault_8_Intbyte$$$$_E_$$$(): Emb_8_Intbyte$$$$_E_$$$ + ensures |unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(result)| == 8 + ensures (forall idx: Int :: + { unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(result)[idx] } + 0 <= idx && idx < 8 ==> + unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(result)[idx] == 0) + + +// decreases +function IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]): Bool + requires !(thisItf == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + requires acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf), wildcard) + + +// decreases _ +function unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(y: Emb_8_Intbyte$$$_S_$$$): ShArray[Ref] + ensures (ShArraylen(result): Int) == 8 || + result == arrayNil_8_Intbyte$$$_S_$$$() + ensures box_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(result) == y + + +// decreases _ +function box_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(x: Seq[Int]): Emb_8_Intbyte$$$$_E_$$$ + requires |x| == 8 + ensures unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(result) == x + + +// decreases _ +function sliceDefault_Interfaceempty_interface$$$_S_$$$(): Slice[Ref] + ensures (soffset(result): Int) == 0 + ensures (slen(result): Int) == 0 + ensures (scap(result): Int) == 0 + ensures (sarray(result): ShArray[Ref]) == + unbox_Emb_1_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(box_Emb_1_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(arrayNil_1_Interfaceempty_interface$$$_S_$$$())) + + +// decreases _ +function unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(y: Emb_8_Intbyte$$$$_E_$$$): Seq[Int] + ensures |result| == 8 + ensures box_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(result) == y + + +// decreases _ +function box_Emb_1_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_1_Interfaceempty_interface$$$_S_$$$ + requires (ShArraylen(x): Int) == 1 || + x == arrayNil_1_Interfaceempty_interface$$$_S_$$$() + ensures unbox_Emb_1_Interfaceempty_interface$$$_S_$$$_ShArray_Ref(result) == + x + + +// decreases _ +function shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$(): ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + ensures (ShStructget0of17(result): ShStruct2[Ref, Ref]) == + shStructDefault_$ContentsA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PayloadA_SliceIntbyte$$$_S_$$$$$$_S_$$$$() && + (ShStructget1of17(result): Ref) == null && + (ShStructget2of17(result): Ref) == null && + (ShStructget3of17(result): Ref) == null && + (ShStructget4of17(result): Ref) == null && + (ShStructget5of17(result): Ref) == null && + (ShStructget6of17(result): Ref) == null && + (ShStructget7of17(result): Ref) == null && + (ShStructget8of17(result): Ref) == null && + (ShStructget9of17(result): Ref) == null && + (ShStructget10of17(result): Ref) == null && + (ShStructget11of17(result): Ref) == null && + (ShStructget12of17(result): Ref) == null && + (ShStructget13of17(result): Ref) == null && + (ShStructget14of17(result): Ref) == null && + (ShStructget15of17(result): Ref) == null && + (ShStructget16of17(result): Ref) == null + + +// decreases _ +function box_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(x: ShArray[Ref]): Emb_8_Intbyte$$$_S_$$$ + requires (ShArraylen(x): Int) == 8 || x == arrayNil_8_Intbyte$$$_S_$$$() + ensures unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(result) == x + + +function ssliceFromArray_Ref(a: ShArray[Ref], i: Int, j: Int): Slice[Ref] + requires 0 <= i + requires i <= j + requires j <= (ShArraylen(a): Int) + ensures (soffset(result): Int) == i + ensures (slen(result): Int) == j - i + ensures (scap(result): Int) == (ShArraylen(a): Int) - i + ensures (sarray(result): ShArray[Ref]) == a + + +// decreases _ +function arrayNil_8_Intbyte$$$_S_$$$(): ShArray[Ref] + ensures (ShArraylen(result): Int) == 1 + ensures (forall idx: Int :: + { (ShArrayloc(result, idx): Ref) } + (ShArrayloc(result, idx): Ref) == null) + + +function sadd(left: Int, right: Int): Int + ensures result == left + right +{ + left + right +} + +predicate AbsSlice_Bytes_e630ae22_F(s_V0: Slice[Ref], start_V0: Int, end_V0: Int) + +predicate ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(thisItf: Tuple2[Ref, Types]) + +// decreases +method pseudoHeaderChecksum_840d9458_PMSCION$L$66$2(s_V0_CN0$in: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + csum_V1$in: Int, i_V6$in: Int, err_V0_CN4$in: Tuple2[Ref, Types]) + returns (csum_V1$out: Int) + requires acc((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + requires 0 <= i_V6$in && + i_V6$in < + (slen((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) && + i_V6$in % 2 == 0 && + (slen((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) % + 2 == + 0 + requires err_V0_CN4$in == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + ensures err_V0_CN4$in == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + ensures acc((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + ensures (ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + old((ShStructget12of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$) + + +// decreases +method pseudoHeaderChecksum_840d9458_PMSCION(s_V0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + length_V0: Int, protocol_V0: Int) + returns (res_V0: Int, err_V0: Tuple2[Ref, Types]) + requires acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) + requires (slen((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) % + 2 == + 0 && + (slen((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) % + 2 == + 0 + requires acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, 1 / + 4194304) + requires acc(AbsSlice_Bytes_e630ae22_F((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + requires acc(AbsSlice_Bytes_e630ae22_F((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + ensures acc((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) + ensures acc((ShStructget11of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, 1 / + 4194304) && + acc((ShStructget10of17(s_V0): Ref).DefinedIA_cd675838_T$$$$_E_$$$, 1 / + 4194304) + ensures acc(AbsSlice_Bytes_e630ae22_F((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + ensures acc(AbsSlice_Bytes_e630ae22_F((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + ensures (slen((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + 0 ==> + !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + ensures (slen((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + 0 ==> + !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) + ensures !(err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) ==> + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(err_V0), write) + ensures (slen((ShStructget12of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) > + 0 && + (slen((ShStructget13of17(s_V0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) > + 0 ==> + err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) +{ + inhale res_V0 == 0 + inhale err_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // decl s_V0_CN0: *SCION_840d9458_T@°°, length_V0_CN1: int°°, protocol_V0_CN2: uint8°°, res_V0_CN3: uint32°°, err_V0_CN4: error_a4af0e5e_T°° + var err_V0_CN4: Tuple2[Ref, Types] + var res_V0_CN3: Int + var protocol_V0_CN2: Int + var length_V0_CN1: Int + var s_V0_CN0: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref] + + + + // init s_V0_CN0 + inhale s_V0_CN0 == + shStructDefault_$BaseLayerA_DefinedBaseLayer_840d9458_T$$$_S_$$$_VersionA_Intuint8$$$_S_$$$_TrafficClassA_Intuint8$$$_S_$$$_FlowIDA_Intuint32$$$_S_$$$_NextHdrA_DefinedL4ProtocolType_840d9458_T$$$_S_$$$_HdrLenA_Intuint8$$$_S_$$$_PayloadLenA_Intuint16$$$_S_$$$_PathTypeA_DefinedType_a6ceb89d_T$$$_S_$$$_DstAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_SrcAddrTypeA_DefinedAddrType_840d9458_T$$$_S_$$$_DstIAA_DefinedIA_cd675838_T$$$_S_$$$_SrcIAA_DefinedIA_cd675838_T$$$_S_$$$_RawDstAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_RawSrcAddrA_SliceIntbyte$$$_S_$$$$$$_S_$$$_PathA_DefinedPath_a6ceb89d_T$$$_S_$$$_pathPoolA_SliceDefinedPath_a6ceb89d_T$$$_S_$$$$$$_S_$$$_pathPoolRawA_DefinedPath_a6ceb89d_T$$$_S_$$$$() + + // init length_V0_CN1 + inhale length_V0_CN1 == 0 + + // init protocol_V0_CN2 + inhale protocol_V0_CN2 == 0 + + // init res_V0_CN3 + inhale res_V0_CN3 == 0 + + // init err_V0_CN4 + inhale err_V0_CN4 == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // s_V0_CN0 = s_V0 + s_V0_CN0 := s_V0 + + // length_V0_CN1 = length_V0 + length_V0_CN1 := length_V0 + + // protocol_V0_CN2 = protocol_V0 + protocol_V0_CN2 := protocol_V0 + + // decl csum_V1: uint32°°, srcIA_V1: [8]byte@@@, dstIA_V1: [8]byte@@@, rawSrcAddrLen_V1: int°°, rawDstAddrLen_V1: int°°, l_V1: uint32°° + var l_V1: Int + var rawDstAddrLen_V1: Int + var rawSrcAddrLen_V1: Int + var dstIA_V1: Emb_8_Intbyte$$$_S_$$$ + var srcIA_V1: Emb_8_Intbyte$$$_S_$$$ + var csum_V1: Int + + // if(len(*s_V0_CN0.RawDstAddrA) == 0) {...} else {...} + if ((slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + 0) { + + // decl N5: error_a4af0e5e_T°° + var N5: Tuple2[Ref, Types] + + // N5 = New_bfd5223e_F("destination address missing", (nil:[]interface{ name is empty_interface }@°)) + N5 := New_bfd5223e_F(stringLit64657374696e6174696f6e2061646472657373206d697373696e67(), + sliceDefault_Interfaceempty_interface$$$_S_$$$()) + + // res_V0_CN3 = 0 + res_V0_CN3 := 0 + + // err_V0_CN4 = N5 + err_V0_CN4 := N5 + + // return + goto returnLabel + } + + // if(len(*s_V0_CN0.RawSrcAddrA) == 0) {...} else {...} + if ((slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + 0) { + + // decl N6: error_a4af0e5e_T°° + var N6: Tuple2[Ref, Types] + + // N6 = New_bfd5223e_F("source address missing", (nil:[]interface{ name is empty_interface }@°)) + N6 := New_bfd5223e_F(stringLit736f757263652061646472657373206d697373696e67(), + sliceDefault_Interfaceempty_interface$$$_S_$$$()) + + // res_V0_CN3 = 0 + res_V0_CN3 := 0 + + // err_V0_CN4 = N6 + err_V0_CN4 := N6 + + // return + goto returnLabel + } + + // init csum_V1 + inhale csum_V1 == 0 + + // csum_V1 = dflt[uint32°] + csum_V1 := 0 + + // init srcIA_V1 + var fn$$1: Emb_8_Intbyte$$$_S_$$$ + var fn$$2: Emb_8_Intbyte$$$$_E_$$$ + fn$$1 := srcIA_V1 + fn$$2 := arrayDefault_8_Intbyte$$$$_E_$$$() + inhale (forall fn$$0: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), fn$$0): Ref) } + 0 <= fn$$0 && fn$$0 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), fn$$0): Ref).Intbyte$$$$_E_$$$, write)) && + ((forall fn$$3: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$1), fn$$3): Ref) } + { unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$2)[fn$$3] } + 0 <= fn$$3 && fn$$3 < 8 ==> + (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$1), fn$$3): Ref).Intbyte$$$$_E_$$$ == + unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$2)[fn$$3]) && + !(srcIA_V1 == + box_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_8_Intbyte$$$_S_$$$()))) + + // init dstIA_V1 + var fn$$5: Emb_8_Intbyte$$$_S_$$$ + var fn$$6: Emb_8_Intbyte$$$$_E_$$$ + fn$$5 := dstIA_V1 + fn$$6 := arrayDefault_8_Intbyte$$$$_E_$$$() + inhale (forall fn$$4: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), fn$$4): Ref) } + 0 <= fn$$4 && fn$$4 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), fn$$4): Ref).Intbyte$$$$_E_$$$, write)) && + ((forall fn$$7: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$5), fn$$7): Ref) } + { unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$6)[fn$$7] } + 0 <= fn$$7 && fn$$7 < 8 ==> + (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$5), fn$$7): Ref).Intbyte$$$$_E_$$$ == + unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$6)[fn$$7]) && + !(dstIA_V1 == + box_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(arrayNil_8_Intbyte$$$_S_$$$()))) + + // srcIA_V1 = dflt[[8]byte°°] + var fn$$9: Emb_8_Intbyte$$$_S_$$$ + var fn$$10: Emb_8_Intbyte$$$$_E_$$$ + fn$$9 := srcIA_V1 + fn$$10 := arrayDefault_8_Intbyte$$$$_E_$$$() + exhale (forall fn$$8: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), fn$$8): Ref) } + 0 <= fn$$8 && fn$$8 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), fn$$8): Ref).Intbyte$$$$_E_$$$, write)) + inhale (forall fn$$8: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), fn$$8): Ref) } + 0 <= fn$$8 && fn$$8 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), fn$$8): Ref).Intbyte$$$$_E_$$$, write)) && + (forall fn$$11: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$9), fn$$11): Ref) } + { unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$10)[fn$$11] } + 0 <= fn$$11 && fn$$11 < 8 ==> + (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$9), fn$$11): Ref).Intbyte$$$$_E_$$$ == + unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$10)[fn$$11]) + + // dstIA_V1 = dflt[[8]byte°°] + var fn$$13: Emb_8_Intbyte$$$_S_$$$ + var fn$$14: Emb_8_Intbyte$$$$_E_$$$ + fn$$13 := dstIA_V1 + fn$$14 := arrayDefault_8_Intbyte$$$$_E_$$$() + exhale (forall fn$$12: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), fn$$12): Ref) } + 0 <= fn$$12 && fn$$12 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), fn$$12): Ref).Intbyte$$$$_E_$$$, write)) + inhale (forall fn$$12: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), fn$$12): Ref) } + 0 <= fn$$12 && fn$$12 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), fn$$12): Ref).Intbyte$$$$_E_$$$, write)) && + (forall fn$$15: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$13), fn$$15): Ref) } + { unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$14)[fn$$15] } + 0 <= fn$$15 && fn$$15 < 8 ==> + (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(fn$$13), fn$$15): Ref).Intbyte$$$$_E_$$$ == + unbox_Emb_8_Intbyte$$$$_E_$$$_Seq_Int(fn$$14)[fn$$15]) + + // 0PutUint64(srcIA_V1[0:len(srcIA_V1)], uint64°(*s_V0_CN0.SrcIAA)) + PutUint64_72f0d887_MbigEndian(0, ssliceFromArray_Ref(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), + 0, (ShArraylen(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1)): Int)), + (ShStructget11of17(s_V0_CN0): Ref).DefinedIA_cd675838_T$$$$_E_$$$) + + // 0PutUint64(dstIA_V1[0:len(dstIA_V1)], uint64°(*s_V0_CN0.DstIAA)) + PutUint64_72f0d887_MbigEndian(0, ssliceFromArray_Ref(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), + 0, (ShArraylen(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1)): Int)), + (ShStructget10of17(s_V0_CN0): Ref).DefinedIA_cd675838_T$$$$_E_$$$) + + // decl i_V2: int°°, L$25$1$Break + var i_V2: Int + + // init i_V2 + inhale i_V2 == 0 + + // i_V2 = 0 + i_V2 := 0 + + // while(i_V2 < 8) +// invariant forall j_V3: int° :: { &srcIA_V1[j_V3] } 0 <= j_V3 && j_V3 < 8 ==> acc(srcIA_V1[j_V3]) +// invariant forall j_V4: int° :: { &dstIA_V1[j_V4] } 0 <= j_V4 && j_V4 < 8 ==> acc(dstIA_V1[j_V4]) +// invariant i_V2 % 2 == 0 +// invariant 0 <= i_V2 && i_V2 <= 8 +// decreases8 - i_V2 + + + // decreases 8 - i_V2 + while (i_V2 < 8) + invariant (forall j_V3: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), j_V3): Ref) } + 0 <= j_V3 && j_V3 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), + j_V3): Ref).Intbyte$$$$_E_$$$, write)) + invariant (forall j_V4: Int :: + { (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), j_V4): Ref) } + 0 <= j_V4 && j_V4 < 8 ==> + acc((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), + j_V4): Ref).Intbyte$$$$_E_$$$, write)) + invariant i_V2 % 2 == 0 + invariant 0 <= i_V2 && i_V2 <= 8 + { + var old_W7_T0: Int + old_W7_T0 := 8 - i_V2 + + // decl L$25$1$Continue + + // decl + + // csum_V1 = csum_V1 + uint32°(srcIA_V1[i_V2]) << 8 + csum_V1 := csum_V1 + + intShiftLeft((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), + i_V2): Ref).Intbyte$$$$_E_$$$, 8) + + // csum_V1 = csum_V1 + uint32°(srcIA_V1[i_V2 + 1]) + csum_V1 := csum_V1 + + (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(srcIA_V1), i_V2 + + 1): Ref).Intbyte$$$$_E_$$$ + + // csum_V1 = csum_V1 + uint32°(dstIA_V1[i_V2]) << 8 + csum_V1 := csum_V1 + + intShiftLeft((ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), + i_V2): Ref).Intbyte$$$$_E_$$$, 8) + + // csum_V1 = csum_V1 + uint32°(dstIA_V1[i_V2 + 1]) + csum_V1 := csum_V1 + + (ShArrayloc(unbox_Emb_8_Intbyte$$$_S_$$$_ShArray_Ref(dstIA_V1), i_V2 + + 1): Ref).Intbyte$$$$_E_$$$ + + // L$25$1$Continue + label L$25$1$Continue + + // i_V2 = i_V2 + 2 + i_V2 := i_V2 + 2 + if (i_V2 < 8) { + + } + + assert true && i_V2 < 8 ==> + (decreasing(8 - i_V2, old_W7_T0): Bool) && (bounded(old_W7_T0): Bool) || + 8 - i_V2 == old_W7_T0 && false + } + + // L$25$1$Break + label L$25$1$Break + + // init rawSrcAddrLen_V1 + inhale rawSrcAddrLen_V1 == 0 + + // rawSrcAddrLen_V1 = len(*s_V0_CN0.RawSrcAddrA) + rawSrcAddrLen_V1 := (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) + + // decl i_V5: int°°, L$38$1$Break + var i_V5: Int + + // init i_V5 + inhale i_V5 == 0 + + // i_V5 = 0 + i_V5 := 0 + + // while(i_V5 < len(*s_V0_CN0.RawSrcAddrA)) +// invariant acc(*s_V0_CN0.RawSrcAddrA, perm(1/4194304)) && acc(AbsSlice_Bytes_e630ae22_F(*s_V0_CN0.RawSrcAddrA, 0, len(*s_V0_CN0.RawSrcAddrA)), perm(1/4194304)) +// invariant len(*s_V0_CN0.RawSrcAddrA) == rawSrcAddrLen_V1 +// invariant len(*s_V0_CN0.RawSrcAddrA) % 2 == 0 +// invariant i_V5 % 2 == 0 +// invariant 0 <= i_V5 && i_V5 <= len(*s_V0_CN0.RawSrcAddrA) +// decreaseslen(*s_V0_CN0.RawSrcAddrA) - i_V5 + + + // decreases (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - i_V5 + while (i_V5 < + (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) + invariant acc((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + invariant (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + rawSrcAddrLen_V1 + invariant (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) % + 2 == + 0 + invariant i_V5 % 2 == 0 + invariant 0 <= i_V5 && + i_V5 <= + (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) + { + var old_W8_T0: Int + old_W8_T0 := (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - + i_V5 + + // decl L$38$1$Continue + + // decl + + // +// requires acc(*s_V0_CN0.RawSrcAddrA, perm(1/4194304)) && acc(AbsSlice_Bytes_e630ae22_F(*s_V0_CN0.RawSrcAddrA, 0, len(*s_V0_CN0.RawSrcAddrA)), perm(1/4194304)) +// requires 0 <= i_V5 && i_V5 < len(*s_V0_CN0.RawSrcAddrA) && i_V5 % 2 == 0 && len(*s_V0_CN0.RawSrcAddrA) % 2 == 0 +// requires err_V0_CN4 == (nil:error_a4af0e5e_T°) +// ensures err_V0_CN4 == (nil:error_a4af0e5e_T°) +// ensures acc(*s_V0_CN0.RawSrcAddrA, perm(1/4194304)) && acc(AbsSlice_Bytes_e630ae22_F(*s_V0_CN0.RawSrcAddrA, 0, len(*s_V0_CN0.RawSrcAddrA)), perm(1/4194304)) +// ensures *s_V0_CN0.RawSrcAddrA === old[before](*s_V0_CN0.RawSrcAddrA) +// decreases +// outline + csum_V1 := pseudoHeaderChecksum_840d9458_PMSCION$L$45$2(s_V0_CN0, csum_V1, + i_V5, err_V0_CN4) + + // L$38$1$Continue + label L$38$1$Continue + + // i_V5 = i_V5 + 2 + i_V5 := i_V5 + 2 + if (i_V5 < + (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) { + + } + + assert true && + i_V5 < + (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) ==> + (decreasing((slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - + i_V5, old_W8_T0): Bool) && + (bounded(old_W8_T0): Bool) || + (slen((ShStructget13of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - + i_V5 == + old_W8_T0 && + false + } + + // L$38$1$Break + label L$38$1$Break + + // init rawDstAddrLen_V1 + inhale rawDstAddrLen_V1 == 0 + + // rawDstAddrLen_V1 = len(*s_V0_CN0.RawDstAddrA) + rawDstAddrLen_V1 := (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) + + // decl i_V6: int°°, L$59$1$Break + var i_V6: Int + + // init i_V6 + inhale i_V6 == 0 + + // i_V6 = 0 + i_V6 := 0 + + // while(i_V6 < len(*s_V0_CN0.RawDstAddrA)) +// invariant acc(*s_V0_CN0.RawDstAddrA, perm(1/4194304)) && acc(AbsSlice_Bytes_e630ae22_F(*s_V0_CN0.RawDstAddrA, 0, len(*s_V0_CN0.RawDstAddrA)), perm(1/4194304)) +// invariant len(*s_V0_CN0.RawDstAddrA) == rawDstAddrLen_V1 +// invariant len(*s_V0_CN0.RawDstAddrA) % 2 == 0 +// invariant i_V6 % 2 == 0 +// invariant 0 <= i_V6 && i_V6 <= len(*s_V0_CN0.RawDstAddrA) +// decreaseslen(*s_V0_CN0.RawDstAddrA) - i_V6 + + + // decreases (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - i_V6 + while (i_V6 < + (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) + invariant acc((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + invariant (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) == + rawDstAddrLen_V1 + invariant (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) % + 2 == + 0 + invariant i_V6 % 2 == 0 + invariant 0 <= i_V6 && + i_V6 <= + (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) + { + var old_W9_T0: Int + old_W9_T0 := (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - + i_V6 + + // decl L$59$1$Continue + + // decl + + // +// requires acc(*s_V0_CN0.RawDstAddrA, perm(1/4194304)) && acc(AbsSlice_Bytes_e630ae22_F(*s_V0_CN0.RawDstAddrA, 0, len(*s_V0_CN0.RawDstAddrA)), perm(1/4194304)) +// requires 0 <= i_V6 && i_V6 < len(*s_V0_CN0.RawDstAddrA) && i_V6 % 2 == 0 && len(*s_V0_CN0.RawDstAddrA) % 2 == 0 +// requires err_V0_CN4 == (nil:error_a4af0e5e_T°) +// ensures err_V0_CN4 == (nil:error_a4af0e5e_T°) +// ensures acc(*s_V0_CN0.RawDstAddrA, perm(1/4194304)) && acc(AbsSlice_Bytes_e630ae22_F(*s_V0_CN0.RawDstAddrA, 0, len(*s_V0_CN0.RawDstAddrA)), perm(1/4194304)) +// ensures *s_V0_CN0.RawDstAddrA === old[before](*s_V0_CN0.RawDstAddrA) +// decreases +// outline + csum_V1 := pseudoHeaderChecksum_840d9458_PMSCION$L$66$2(s_V0_CN0, csum_V1, + i_V6, err_V0_CN4) + + // L$59$1$Continue + label L$59$1$Continue + + // i_V6 = i_V6 + 2 + i_V6 := i_V6 + 2 + if (i_V6 < + (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)) { + + } + + assert true && + i_V6 < + (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) ==> + (decreasing((slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - + i_V6, old_W9_T0): Bool) && + (bounded(old_W9_T0): Bool) || + (slen((ShStructget12of17(s_V0_CN0): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) - + i_V6 == + old_W9_T0 && + false + } + + // L$59$1$Break + label L$59$1$Break + + // init l_V1 + inhale l_V1 == 0 + + // l_V1 = uint32°(length_V0_CN1) + l_V1 := length_V0_CN1 + + // csum_V1 = csum_V1 + l_V1 >> 16 + l_V1 & 0xffff + csum_V1 := csum_V1 + + (intShiftRight(l_V1, 16) + intBitwiseAnd(l_V1, 65535)) + + // csum_V1 = csum_V1 + uint32°(protocol_V0_CN2) + csum_V1 := csum_V1 + protocol_V0_CN2 + + // res_V0_CN3 = csum_V1 + res_V0_CN3 := csum_V1 + + // err_V0_CN4 = (nil:error_a4af0e5e_T°) + err_V0_CN4 := (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + + // return + goto returnLabel + label returnLabel + + // res_V0 = res_V0_CN3 + res_V0 := res_V0_CN3 + + // err_V0 = err_V0_CN4 + err_V0 := err_V0_CN4 +} + +// decreases +method pseudoHeaderChecksum_840d9458_PMSCION$L$45$2(s_V0_CN0$in: ShStruct17[ShStruct2[Ref, Ref], Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref, Ref], + csum_V1$in: Int, i_V5$in: Int, err_V0_CN4$in: Tuple2[Ref, Types]) + returns (csum_V1$out: Int) + requires acc((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + requires 0 <= i_V5$in && + i_V5$in < + (slen((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) && + i_V5$in % 2 == 0 && + (slen((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int) % + 2 == + 0 + requires err_V0_CN4$in == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + ensures err_V0_CN4$in == (tuple2(null, nil_Types()): Tuple2[Ref, Types]) + ensures acc((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, 1 / + 4194304) && + acc(AbsSlice_Bytes_e630ae22_F((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$, + 0, (slen((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$): Int)), 1 / + 4194304) + ensures (ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$ == + old((ShStructget13of17(s_V0_CN0$in): Ref).SliceIntbyte$$$_S_$$$$$$$_E_$$$) + + +// decreases _ +method PutUint64_72f0d887_MbigEndian(e_V0: Int, b_V0: Slice[Ref], v_V0: Int) + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 2)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 3)): Ref).Intbyte$$$$_E_$$$, write) + requires acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 4)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 5)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 6)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 7)): Ref).Intbyte$$$$_E_$$$, write) + ensures acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 0)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 1)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 2)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 3)): Ref).Intbyte$$$$_E_$$$, write) + ensures acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 4)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 5)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 6)): Ref).Intbyte$$$$_E_$$$, write) && + acc((ShArrayloc((sarray(b_V0): ShArray[Ref]), sadd((soffset(b_V0): Int), + 7)): Ref).Intbyte$$$$_E_$$$, write) + + +// decreases _ +method New_bfd5223e_F(msg_V0: Int, errCtx_V0: Slice[Ref]) + returns (res_V0: Tuple2[Ref, Types]) + requires (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures (forall i_V1: Int :: + { (ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref) } + 0 <= i_V1 && i_V1 < (slen(errCtx_V0): Int) ==> + acc((ShArrayloc((sarray(errCtx_V0): ShArray[Ref]), sadd((soffset(errCtx_V0): Int), + i_V1)): Ref).Interfaceempty_interface$$$$_E_$$$, 1 / 131072)) + ensures !(res_V0 == (tuple2(null, nil_Types()): Tuple2[Ref, Types])) && + acc(ErrorMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0), write) + ensures IsDuplicableMem_a4af0e5e_SY$c04328b0_a4af0e5e_(res_V0) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--bar-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--bar-Both.vpr new file mode 100644 index 00000000..3d1a3a45 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--bar-Both.vpr @@ -0,0 +1,1502 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + + function mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int +} + +domain Snap$struct$m_VecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32 + + function Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) } + Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1), + true] + + +function f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1, + _2), + true] + + +function snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(self: Ref): Snap$struct$m_VecWrapperI32 + requires acc(struct$m_VecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32((unfolding acc(struct$m_VecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_VecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) { + true +} + +method m_bar() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var __t31: Bool + var __t32: Bool + var __t33: Bool + var __t34: Bool + var __t35: Bool + var __t36: Bool + var __t37: Bool + var __t38: Bool + var __t39: Bool + var __t40: Bool + var __t41: Bool + var __t42: Bool + var __t43: Bool + var __t44: Bool + var __t45: Bool + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Ref + var _12: Ref + var _13: Ref + var _14: Ref + var _15: Ref + var _18: Ref + var _19: Ref + var _20: Ref + var _21: Ref + var _24: Ref + var _25: Ref + var _26: Ref + var _27: Ref + var _29: Ref + var _30: Ref + var _31: Ref + var _32: Ref + var _33: Ref + var _34: Ref + var _36: Ref + var _37: Ref + var _38: Ref + var _39: Ref + var _42: Ref + var _43: Ref + var _44: Ref + var _45: Ref + var _48: Ref + var _49: Ref + var _50: Ref + var _51: Ref + var _54: Ref + var _55: Ref + var _56: Ref + var _57: Ref + var _60: Ref + var _61: Ref + var _62: Ref + var _63: Ref + var _66: Ref + var _67: Ref + var _68: Ref + var _69: Ref + var _t71: Ref + var _t72: Ref + var _t73: Ref + var _t74: Ref + var _t75: Ref + var _t76: Ref + + label start + // ========== start ========== + // Def path: "nll_rfc_case1::bar" + // Span: tests/verify/pass/quick/nll-rfc-case1.rs:90:1: 112:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + __t21 := false + __t22 := false + __t23 := false + __t24 := false + __t25 := false + __t26 := false + __t27 := false + __t28 := false + __t29 := false + __t30 := false + __t31 := false + __t32 := false + __t33 := false + __t34 := false + __t35 := false + __t36 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_1) + // [mir] _1 = VecWrapperI32::new() -> [return: bb1, unwind: bb38] + label l0 + _1 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(_1), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1)) == + 0 + label l1 + // ========== bb1 ========== + __t1 := true + // [mir] FakeRead(ForLet(None), _1) + // [mir] StorageLive(_2) + // [mir] StorageLive(_3) + // [mir] _3 = &mut _1 + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + _3.val_ref := _1 + label l2 + // [mir] _2 = VecWrapperI32::push(move _3, const 1_i32) -> [return: bb2, unwind: bb37] + label l3 + _t71 := builtin$havoc_ref() + inhale acc(i32(_t71), write) + assert true + exhale acc(_3.val_ref, write) && + (acc(struct$m_VecWrapperI32(_3.val_ref), write) && + acc(i32(_t71), write)) + _2 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l3](_3.val_ref)), write) + inhale acc(tuple0$(_2), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l3](_3.val_ref))) == + old[l3](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_3.val_ref))) + + 1 && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l3](_3.val_ref)), + old[l3](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_3.val_ref)))) == + old[l3](1) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + old[l3](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_3.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l3](_3.val_ref)), + _0_quant_0) == + old[l3](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_3.val_ref), + _0_quant_0))))) + label l4 + // ========== l5 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L24,L0,) + + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_3) + // [mir] StorageDead(_2) + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] _5 = &mut _1 + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _1 + label l6 + // [mir] _4 = VecWrapperI32::push(move _5, const -2_i32) -> [return: bb3, unwind: bb37] + label l7 + _t72 := builtin$havoc_ref() + inhale acc(i32(_t72), write) + assert true + exhale acc(_5.val_ref, write) && + (acc(struct$m_VecWrapperI32(_5.val_ref), write) && + acc(i32(_t72), write)) + _4 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l7](_5.val_ref)), write) + inhale acc(tuple0$(_4), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l7](_5.val_ref))) == + old[l7](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_5.val_ref))) + + 1 && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l7](_5.val_ref)), + old[l7](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_5.val_ref)))) == + old[l7](-2) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + old[l7](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_5.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l7](_5.val_ref)), + _0_quant_0) == + old[l7](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_5.val_ref), + _0_quant_0))))) + label l8 + // ========== l9 ========== + // MIR edge bb2 --> bb3 + // Expire borrows + // expire_borrows ReborrowingDAG(L22,L1,) + + // ========== bb3 ========== + __t3 := true + // [mir] StorageDead(_5) + // [mir] StorageDead(_4) + // [mir] StorageLive(_6) + // [mir] StorageLive(_7) + // [mir] _7 = &mut _1 + _7 := builtin$havoc_ref() + inhale acc(_7.val_ref, write) + _7.val_ref := _1 + label l10 + // [mir] _6 = VecWrapperI32::push(move _7, const 3_i32) -> [return: bb4, unwind: bb37] + label l11 + _t73 := builtin$havoc_ref() + inhale acc(i32(_t73), write) + assert true + exhale acc(_7.val_ref, write) && + (acc(struct$m_VecWrapperI32(_7.val_ref), write) && + acc(i32(_t73), write)) + _6 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l11](_7.val_ref)), write) + inhale acc(tuple0$(_6), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l11](_7.val_ref))) == + old[l11](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_7.val_ref))) + + 1 && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l11](_7.val_ref)), + old[l11](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_7.val_ref)))) == + old[l11](3) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + old[l11](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_7.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l11](_7.val_ref)), + _0_quant_0) == + old[l11](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_7.val_ref), + _0_quant_0))))) + label l12 + // ========== l13 ========== + // MIR edge bb3 --> bb4 + // Expire borrows + // expire_borrows ReborrowingDAG(L21,L2,) + + // ========== bb4 ========== + __t4 := true + // [mir] StorageDead(_7) + // [mir] StorageDead(_6) + // [mir] StorageLive(_8) + // [mir] _8 = &mut _1 + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + _8.val_ref := _1 + label l14 + // [mir] FakeRead(ForLet(None), _8) + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = &mut (*_8) + _10 := builtin$havoc_ref() + inhale acc(_10.val_ref, write) + _10.val_ref := _8.val_ref + label l15 + // [mir] _9 = capitalize(move _10) -> [return: bb5, unwind: bb37] + label l16 + assert true + exhale acc(_10.val_ref, write) && + acc(struct$m_VecWrapperI32(_10.val_ref), write) + _9 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l16](_10.val_ref)), write) + inhale acc(tuple0$(_9), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_10.val_ref))) == + old[l16](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref))) && + ((forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_10.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_10.val_ref)), + _0_quant_0) <= + 0)) && + ((forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_10.val_ref)))) || + (old[l16](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref), + _0_quant_0)) > + 0 ==> + !(old[l16](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref), + _0_quant_0)) == + -2147483648) && + -old[l16](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_10.val_ref)), + _0_quant_0)))) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_10.val_ref)))) || + (old[l16](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref), + _0_quant_0)) <= + 0 ==> + old[l16](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_10.val_ref)), + _0_quant_0)))))) + label l17 + // ========== l18 ========== + // MIR edge bb4 --> bb5 + // Expire borrows + // expire_borrows ReborrowingDAG(L20,L4,L3,) + + // ========== bb5 ========== + __t5 := true + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] StorageLive(_14) + // [mir] StorageLive(_15) + // [mir] _15 = &_1 + _15 := builtin$havoc_ref() + inhale acc(_15.val_ref, write) + _15.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_15.val_ref), read$()) + label l19 + // [mir] _14 = VecWrapperI32::lookup(move _15, const 0_usize) -> [return: bb6, unwind: bb37] + label l20 + _14 := builtin$havoc_ref() + inhale acc(i32(_14), write) + inhale (unfolding acc(i32(_14), write) in _14.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_15.val_ref), + 0) + // transfer perm _15.val_ref --> old[l20](_15.val_ref) // unchecked: false + // ========== l21 ========== + // MIR edge bb5 --> bb6 + // Expire borrows + // expire_borrows ReborrowingDAG(L34,L5,) + + if (__t5 && __t5) { + // expire loan L5 + // transfer perm old[l20](_15.val_ref) --> old[l19](_15.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l19](_15.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb6 ========== + __t6 := true + // [mir] StorageDead(_15) + // [mir] _13 = Eq(move _14, const -1_i32) + _13 := builtin$havoc_ref() + inhale acc(_13.val_bool, write) + unfold acc(i32(_14), write) + _13.val_bool := _14.val_int == -1 + // [mir] StorageDead(_14) + // [mir] _12 = Not(move _13) + _12 := builtin$havoc_ref() + inhale acc(_12.val_bool, write) + _12.val_bool := !_13.val_bool + // [mir] StorageDead(_13) + // [mir] switchInt(move _12) -> [0: bb8, otherwise: bb7] + __t37 := _12.val_bool + if (__t37) { + goto l26 + } + goto return + + label bb0 + // ========== l27 ========== + // MIR edge bb9 --> bb11 + // ========== bb11 ========== + __t11 := true + // [mir] _17 = const () + // [mir] StorageDead(_18) + // [mir] StorageDead(_17) + // [mir] StorageLive(_23) + // [mir] StorageLive(_24) + // [mir] StorageLive(_25) + // [mir] StorageLive(_26) + // [mir] StorageLive(_27) + // [mir] _27 = &_1 + _27 := builtin$havoc_ref() + inhale acc(_27.val_ref, write) + _27.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_27.val_ref), read$()) + label l29 + // [mir] _26 = VecWrapperI32::lookup(move _27, const 2_usize) -> [return: bb12, unwind: bb37] + label l30 + _26 := builtin$havoc_ref() + inhale acc(i32(_26), write) + inhale (unfolding acc(i32(_26), write) in _26.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_27.val_ref), + 2) + // transfer perm _27.val_ref --> old[l30](_27.val_ref) // unchecked: false + // ========== l31 ========== + // MIR edge bb11 --> bb12 + // Expire borrows + // expire_borrows ReborrowingDAG(L30,L7,) + + if (__t11 && __t11) { + // expire loan L7 + // transfer perm old[l30](_27.val_ref) --> old[l29](_27.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l29](_27.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb12 ========== + __t12 := true + // [mir] StorageDead(_27) + // [mir] _25 = Eq(move _26, const -3_i32) + _25 := builtin$havoc_ref() + inhale acc(_25.val_bool, write) + unfold acc(i32(_26), write) + _25.val_bool := _26.val_int == -3 + // [mir] StorageDead(_26) + // [mir] _24 = Not(move _25) + _24 := builtin$havoc_ref() + inhale acc(_24.val_bool, write) + _24.val_bool := !_25.val_bool + // [mir] StorageDead(_25) + // [mir] switchInt(move _24) -> [0: bb14, otherwise: bb13] + __t39 := _24.val_bool + if (__t39) { + goto bb7 + } + goto bb1 + + label bb1 + // ========== l32 ========== + // MIR edge bb12 --> bb14 + // ========== bb14 ========== + __t14 := true + // [mir] _23 = const () + // [mir] StorageDead(_24) + // [mir] StorageDead(_23) + // [mir] StorageLive(_29) + // [mir] StorageLive(_30) + // [mir] _30 = &mut _1 + _30 := builtin$havoc_ref() + inhale acc(_30.val_ref, write) + _30.val_ref := _1 + label l34 + // [mir] _29 = VecWrapperI32::push(move _30, const 4_i32) -> [return: bb15, unwind: bb37] + label l35 + _t74 := builtin$havoc_ref() + inhale acc(i32(_t74), write) + assert true + exhale acc(_30.val_ref, write) && + (acc(struct$m_VecWrapperI32(_30.val_ref), write) && + acc(i32(_t74), write)) + _29 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l35](_30.val_ref)), write) + inhale acc(tuple0$(_29), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_30.val_ref))) == + old[l35](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_30.val_ref))) + + 1 && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_30.val_ref)), + old[l35](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_30.val_ref)))) == + old[l35](4) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + old[l35](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_30.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_30.val_ref)), + _0_quant_0) == + old[l35](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_30.val_ref), + _0_quant_0))))) + label l36 + // ========== l37 ========== + // MIR edge bb14 --> bb15 + // Expire borrows + // expire_borrows ReborrowingDAG(L28,L8,) + + // ========== bb15 ========== + __t15 := true + // [mir] StorageDead(_30) + // [mir] StorageDead(_29) + // [mir] StorageLive(_31) + // [mir] StorageLive(_32) + // [mir] _32 = &mut _1 + _32 := builtin$havoc_ref() + inhale acc(_32.val_ref, write) + _32.val_ref := _1 + label l38 + // [mir] _31 = VecWrapperI32::push(move _32, const -5_i32) -> [return: bb16, unwind: bb37] + label l39 + _t75 := builtin$havoc_ref() + inhale acc(i32(_t75), write) + assert true + exhale acc(_32.val_ref, write) && + (acc(struct$m_VecWrapperI32(_32.val_ref), write) && + acc(i32(_t75), write)) + _31 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l39](_32.val_ref)), write) + inhale acc(tuple0$(_31), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l39](_32.val_ref))) == + old[l39](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_32.val_ref))) + + 1 && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l39](_32.val_ref)), + old[l39](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_32.val_ref)))) == + old[l39](-5) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + old[l39](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_32.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l39](_32.val_ref)), + _0_quant_0) == + old[l39](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_32.val_ref), + _0_quant_0))))) + label l40 + // ========== l41 ========== + // MIR edge bb15 --> bb16 + // Expire borrows + // expire_borrows ReborrowingDAG(L27,L9,) + + // ========== bb16 ========== + __t16 := true + // [mir] StorageDead(_32) + // [mir] StorageDead(_31) + // [mir] StorageLive(_33) + // [mir] StorageLive(_34) + // [mir] _34 = &mut _1 + _34 := builtin$havoc_ref() + inhale acc(_34.val_ref, write) + _34.val_ref := _1 + label l42 + // [mir] _33 = VecWrapperI32::push(move _34, const 6_i32) -> [return: bb17, unwind: bb37] + label l43 + _t76 := builtin$havoc_ref() + inhale acc(i32(_t76), write) + assert true + exhale acc(_34.val_ref, write) && + (acc(struct$m_VecWrapperI32(_34.val_ref), write) && + acc(i32(_t76), write)) + _33 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l43](_34.val_ref)), write) + inhale acc(tuple0$(_33), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l43](_34.val_ref))) == + old[l43](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_34.val_ref))) + + 1 && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l43](_34.val_ref)), + old[l43](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_34.val_ref)))) == + old[l43](6) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + old[l43](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_34.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l43](_34.val_ref)), + _0_quant_0) == + old[l43](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_34.val_ref), + _0_quant_0))))) + label l44 + // ========== l45 ========== + // MIR edge bb16 --> bb17 + // Expire borrows + // expire_borrows ReborrowingDAG(L26,L10,) + + // ========== bb17 ========== + __t17 := true + // [mir] StorageDead(_34) + // [mir] StorageDead(_33) + // [mir] StorageLive(_35) + // [mir] StorageLive(_36) + // [mir] StorageLive(_37) + // [mir] StorageLive(_38) + // [mir] StorageLive(_39) + // [mir] _39 = &_1 + _39 := builtin$havoc_ref() + inhale acc(_39.val_ref, write) + _39.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_39.val_ref), read$()) + label l46 + // [mir] _38 = VecWrapperI32::lookup(move _39, const 0_usize) -> [return: bb18, unwind: bb37] + label l47 + _38 := builtin$havoc_ref() + inhale acc(i32(_38), write) + inhale (unfolding acc(i32(_38), write) in _38.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_39.val_ref), + 0) + // transfer perm _39.val_ref --> old[l47](_39.val_ref) // unchecked: false + // ========== l48 ========== + // MIR edge bb17 --> bb18 + // Expire borrows + // expire_borrows ReborrowingDAG(L23,L11,) + + if (__t17 && __t17) { + // expire loan L11 + // transfer perm old[l47](_39.val_ref) --> old[l46](_39.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l46](_39.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb18 ========== + __t18 := true + // [mir] StorageDead(_39) + // [mir] _37 = Eq(move _38, const -1_i32) + _37 := builtin$havoc_ref() + inhale acc(_37.val_bool, write) + unfold acc(i32(_38), write) + _37.val_bool := _38.val_int == -1 + // [mir] StorageDead(_38) + // [mir] _36 = Not(move _37) + _36 := builtin$havoc_ref() + inhale acc(_36.val_bool, write) + _36.val_bool := !_37.val_bool + // [mir] StorageDead(_37) + // [mir] switchInt(move _36) -> [0: bb20, otherwise: bb19] + __t40 := _36.val_bool + if (__t40) { + goto l23 + } + goto l5 + + label bb2 + // ========== l54 ========== + // MIR edge bb21 --> bb23 + // ========== bb23 ========== + __t23 := true + // [mir] _41 = const () + // [mir] StorageDead(_42) + // [mir] StorageDead(_41) + // [mir] StorageLive(_47) + // [mir] StorageLive(_48) + // [mir] StorageLive(_49) + // [mir] StorageLive(_50) + // [mir] StorageLive(_51) + // [mir] _51 = &_1 + _51 := builtin$havoc_ref() + inhale acc(_51.val_ref, write) + _51.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_51.val_ref), read$()) + label l56 + // [mir] _50 = VecWrapperI32::lookup(move _51, const 2_usize) -> [return: bb24, unwind: bb37] + label l57 + _50 := builtin$havoc_ref() + inhale acc(i32(_50), write) + inhale (unfolding acc(i32(_50), write) in _50.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_51.val_ref), + 2) + // transfer perm _51.val_ref --> old[l57](_51.val_ref) // unchecked: false + // ========== l58 ========== + // MIR edge bb23 --> bb24 + // Expire borrows + // expire_borrows ReborrowingDAG(L33,L13,) + + if (__t23 && __t23) { + // expire loan L13 + // transfer perm old[l57](_51.val_ref) --> old[l56](_51.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l56](_51.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb24 ========== + __t24 := true + // [mir] StorageDead(_51) + // [mir] _49 = Eq(move _50, const -3_i32) + _49 := builtin$havoc_ref() + inhale acc(_49.val_bool, write) + unfold acc(i32(_50), write) + _49.val_bool := _50.val_int == -3 + // [mir] StorageDead(_50) + // [mir] _48 = Not(move _49) + _48 := builtin$havoc_ref() + inhale acc(_48.val_bool, write) + _48.val_bool := !_49.val_bool + // [mir] StorageDead(_49) + // [mir] switchInt(move _48) -> [0: bb26, otherwise: bb25] + __t42 := _48.val_bool + if (__t42) { + goto bb6 + } + goto l9 + + label bb3 + // ========== l64 ========== + // MIR edge bb27 --> bb29 + // ========== bb29 ========== + __t29 := true + // [mir] _53 = const () + // [mir] StorageDead(_54) + // [mir] StorageDead(_53) + // [mir] StorageLive(_59) + // [mir] StorageLive(_60) + // [mir] StorageLive(_61) + // [mir] StorageLive(_62) + // [mir] StorageLive(_63) + // [mir] _63 = &_1 + _63 := builtin$havoc_ref() + inhale acc(_63.val_ref, write) + _63.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_63.val_ref), read$()) + label l66 + // [mir] _62 = VecWrapperI32::lookup(move _63, const 4_usize) -> [return: bb30, unwind: bb37] + label l67 + _62 := builtin$havoc_ref() + inhale acc(i32(_62), write) + inhale (unfolding acc(i32(_62), write) in _62.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_63.val_ref), + 4) + // transfer perm _63.val_ref --> old[l67](_63.val_ref) // unchecked: false + // ========== l68 ========== + // MIR edge bb29 --> bb30 + // Expire borrows + // expire_borrows ReborrowingDAG(L29,L15,) + + if (__t29 && __t29) { + // expire loan L15 + // transfer perm old[l67](_63.val_ref) --> old[l66](_63.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l66](_63.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb30 ========== + __t30 := true + // [mir] StorageDead(_63) + // [mir] _61 = Eq(move _62, const -5_i32) + _61 := builtin$havoc_ref() + inhale acc(_61.val_bool, write) + unfold acc(i32(_62), write) + _61.val_bool := _62.val_int == -5 + // [mir] StorageDead(_62) + // [mir] _60 = Not(move _61) + _60 := builtin$havoc_ref() + inhale acc(_60.val_bool, write) + _60.val_bool := !_61.val_bool + // [mir] StorageDead(_61) + // [mir] switchInt(move _60) -> [0: bb32, otherwise: bb31] + __t44 := _60.val_bool + if (__t44) { + goto bb5 + } + goto l13 + + label bb4 + // ========== l74 ========== + // MIR edge bb33 --> bb35 + // ========== bb35 ========== + __t35 := true + // [mir] _65 = const () + // [mir] StorageDead(_66) + // [mir] StorageDead(_65) + // [mir] _0 = const () + // [mir] StorageDead(_8) + // [mir] drop(_1) -> [return: bb36, unwind: bb38] + // ========== bb36 ========== + __t36 := true + // [mir] StorageDead(_1) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l77 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label bb5 + // ========== l70 ========== + // MIR edge bb30 --> bb31 + // ========== bb31 ========== + __t31 := true + // [mir] StorageLive(_64) + // [mir] _64 = core::panicking::panic(const "assertion failed: data.lookup(4) == -5") -> bb37 + // Rust panic - const "assertion failed: data.lookup(4) == -5" + assert false + goto end_of_method + + label bb6 + // ========== l60 ========== + // MIR edge bb24 --> bb25 + // ========== bb25 ========== + __t25 := true + // [mir] StorageLive(_52) + // [mir] _52 = core::panicking::panic(const "assertion failed: data.lookup(2) == -3") -> bb37 + // Rust panic - const "assertion failed: data.lookup(2) == -3" + assert false + goto end_of_method + + label bb7 + // ========== l33 ========== + // MIR edge bb12 --> bb13 + // ========== bb13 ========== + __t13 := true + // [mir] StorageLive(_28) + // [mir] _28 = core::panicking::panic(const "assertion failed: data.lookup(2) == -3") -> bb37 + // Rust panic - const "assertion failed: data.lookup(2) == -3" + assert false + goto end_of_method + + label bb8 + // ========== l28 ========== + // MIR edge bb9 --> bb10 + // ========== bb10 ========== + __t10 := true + // [mir] StorageLive(_22) + // [mir] _22 = core::panicking::panic(const "assertion failed: data.lookup(1) == -2") -> bb37 + // Rust panic - const "assertion failed: data.lookup(1) == -2" + assert false + goto end_of_method + + label l13 + // ========== l69 ========== + // MIR edge bb30 --> bb32 + // ========== bb32 ========== + __t32 := true + // [mir] _59 = const () + // [mir] StorageDead(_60) + // [mir] StorageDead(_59) + // [mir] StorageLive(_65) + // [mir] StorageLive(_66) + // [mir] StorageLive(_67) + // [mir] StorageLive(_68) + // [mir] StorageLive(_69) + // [mir] _69 = &_1 + _69 := builtin$havoc_ref() + inhale acc(_69.val_ref, write) + _69.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_69.val_ref), read$()) + label l71 + // [mir] _68 = VecWrapperI32::lookup(move _69, const 5_usize) -> [return: bb33, unwind: bb37] + label l72 + _68 := builtin$havoc_ref() + inhale acc(i32(_68), write) + inhale (unfolding acc(i32(_68), write) in _68.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_69.val_ref), + 5) + // transfer perm _69.val_ref --> old[l72](_69.val_ref) // unchecked: false + // ========== l73 ========== + // MIR edge bb32 --> bb33 + // Expire borrows + // expire_borrows ReborrowingDAG(L25,L16,) + + if (__t32 && __t32) { + // expire loan L16 + // transfer perm old[l72](_69.val_ref) --> old[l71](_69.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l71](_69.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb33 ========== + __t33 := true + // [mir] StorageDead(_69) + // [mir] _67 = Eq(move _68, const 6_i32) + _67 := builtin$havoc_ref() + inhale acc(_67.val_bool, write) + unfold acc(i32(_68), write) + _67.val_bool := _68.val_int == 6 + // [mir] StorageDead(_68) + // [mir] _66 = Not(move _67) + _66 := builtin$havoc_ref() + inhale acc(_66.val_bool, write) + _66.val_bool := !_67.val_bool + // [mir] StorageDead(_67) + // [mir] switchInt(move _66) -> [0: bb35, otherwise: bb34] + __t45 := _66.val_bool + if (__t45) { + goto l18 + } + goto bb4 + + label l18 + // ========== l75 ========== + // MIR edge bb33 --> bb34 + // ========== bb34 ========== + __t34 := true + // [mir] StorageLive(_70) + // [mir] _70 = core::panicking::panic(const "assertion failed: data.lookup(5) == 6") -> bb37 + // Rust panic - const "assertion failed: data.lookup(5) == 6" + assert false + goto end_of_method + + label l21 + // ========== l65 ========== + // MIR edge bb27 --> bb28 + // ========== bb28 ========== + __t28 := true + // [mir] StorageLive(_58) + // [mir] _58 = core::panicking::panic(const "assertion failed: data.lookup(3) == 4") -> bb37 + // Rust panic - const "assertion failed: data.lookup(3) == 4" + assert false + goto end_of_method + + label l22 + // ========== l55 ========== + // MIR edge bb21 --> bb22 + // ========== bb22 ========== + __t22 := true + // [mir] StorageLive(_46) + // [mir] _46 = core::panicking::panic(const "assertion failed: data.lookup(1) == -2") -> bb37 + // Rust panic - const "assertion failed: data.lookup(1) == -2" + assert false + goto end_of_method + + label l23 + // ========== l50 ========== + // MIR edge bb18 --> bb19 + // ========== bb19 ========== + __t19 := true + // [mir] StorageLive(_40) + // [mir] _40 = core::panicking::panic(const "assertion failed: data.lookup(0) == -1") -> bb37 + // Rust panic - const "assertion failed: data.lookup(0) == -1" + assert false + goto end_of_method + + label l26 + // ========== l23 ========== + // MIR edge bb6 --> bb7 + // ========== bb7 ========== + __t7 := true + // [mir] StorageLive(_16) + // [mir] _16 = core::panicking::panic(const "assertion failed: data.lookup(0) == -1") -> bb37 + // Rust panic - const "assertion failed: data.lookup(0) == -1" + assert false + goto end_of_method + + label l5 + // ========== l49 ========== + // MIR edge bb18 --> bb20 + // ========== bb20 ========== + __t20 := true + // [mir] _35 = const () + // [mir] StorageDead(_36) + // [mir] StorageDead(_35) + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] StorageLive(_43) + // [mir] StorageLive(_44) + // [mir] StorageLive(_45) + // [mir] _45 = &_1 + _45 := builtin$havoc_ref() + inhale acc(_45.val_ref, write) + _45.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_45.val_ref), read$()) + label l51 + // [mir] _44 = VecWrapperI32::lookup(move _45, const 1_usize) -> [return: bb21, unwind: bb37] + label l52 + _44 := builtin$havoc_ref() + inhale acc(i32(_44), write) + inhale (unfolding acc(i32(_44), write) in _44.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_45.val_ref), + 1) + // transfer perm _45.val_ref --> old[l52](_45.val_ref) // unchecked: false + // ========== l53 ========== + // MIR edge bb20 --> bb21 + // Expire borrows + // expire_borrows ReborrowingDAG(L19,L12,) + + if (__t20 && __t20) { + // expire loan L12 + // transfer perm old[l52](_45.val_ref) --> old[l51](_45.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l51](_45.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb21 ========== + __t21 := true + // [mir] StorageDead(_45) + // [mir] _43 = Eq(move _44, const -2_i32) + _43 := builtin$havoc_ref() + inhale acc(_43.val_bool, write) + unfold acc(i32(_44), write) + _43.val_bool := _44.val_int == -2 + // [mir] StorageDead(_44) + // [mir] _42 = Not(move _43) + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := !_43.val_bool + // [mir] StorageDead(_43) + // [mir] switchInt(move _42) -> [0: bb23, otherwise: bb22] + __t41 := _42.val_bool + if (__t41) { + goto l22 + } + goto bb2 + + label l9 + // ========== l59 ========== + // MIR edge bb24 --> bb26 + // ========== bb26 ========== + __t26 := true + // [mir] _47 = const () + // [mir] StorageDead(_48) + // [mir] StorageDead(_47) + // [mir] StorageLive(_53) + // [mir] StorageLive(_54) + // [mir] StorageLive(_55) + // [mir] StorageLive(_56) + // [mir] StorageLive(_57) + // [mir] _57 = &_1 + _57 := builtin$havoc_ref() + inhale acc(_57.val_ref, write) + _57.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_57.val_ref), read$()) + label l61 + // [mir] _56 = VecWrapperI32::lookup(move _57, const 3_usize) -> [return: bb27, unwind: bb37] + label l62 + _56 := builtin$havoc_ref() + inhale acc(i32(_56), write) + inhale (unfolding acc(i32(_56), write) in _56.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_57.val_ref), + 3) + // transfer perm _57.val_ref --> old[l62](_57.val_ref) // unchecked: false + // ========== l63 ========== + // MIR edge bb26 --> bb27 + // Expire borrows + // expire_borrows ReborrowingDAG(L31,L14,) + + if (__t26 && __t26) { + // expire loan L14 + // transfer perm old[l62](_57.val_ref) --> old[l61](_57.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l61](_57.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb27 ========== + __t27 := true + // [mir] StorageDead(_57) + // [mir] _55 = Eq(move _56, const 4_i32) + _55 := builtin$havoc_ref() + inhale acc(_55.val_bool, write) + unfold acc(i32(_56), write) + _55.val_bool := _56.val_int == 4 + // [mir] StorageDead(_56) + // [mir] _54 = Not(move _55) + _54 := builtin$havoc_ref() + inhale acc(_54.val_bool, write) + _54.val_bool := !_55.val_bool + // [mir] StorageDead(_55) + // [mir] switchInt(move _54) -> [0: bb29, otherwise: bb28] + __t43 := _54.val_bool + if (__t43) { + goto l21 + } + goto bb3 + + label return + // ========== l22 ========== + // MIR edge bb6 --> bb8 + // ========== bb8 ========== + __t8 := true + // [mir] _11 = const () + // [mir] StorageDead(_12) + // [mir] StorageDead(_11) + // [mir] StorageLive(_17) + // [mir] StorageLive(_18) + // [mir] StorageLive(_19) + // [mir] StorageLive(_20) + // [mir] StorageLive(_21) + // [mir] _21 = &_1 + _21 := builtin$havoc_ref() + inhale acc(_21.val_ref, write) + _21.val_ref := _1 + exhale acc(struct$m_VecWrapperI32(_1), write - read$()) + inhale acc(struct$m_VecWrapperI32(_21.val_ref), read$()) + label l24 + // [mir] _20 = VecWrapperI32::lookup(move _21, const 1_usize) -> [return: bb9, unwind: bb37] + label l25 + _20 := builtin$havoc_ref() + inhale acc(i32(_20), write) + inhale (unfolding acc(i32(_20), write) in _20.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_21.val_ref), + 1) + // transfer perm _21.val_ref --> old[l25](_21.val_ref) // unchecked: false + // ========== l26 ========== + // MIR edge bb8 --> bb9 + // Expire borrows + // expire_borrows ReborrowingDAG(L32,L6,) + + if (__t8 && __t8) { + // expire loan L6 + // transfer perm old[l25](_21.val_ref) --> old[l24](_21.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l24](_21.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1), write - read$()) + } + // ========== bb9 ========== + __t9 := true + // [mir] StorageDead(_21) + // [mir] _19 = Eq(move _20, const -2_i32) + _19 := builtin$havoc_ref() + inhale acc(_19.val_bool, write) + unfold acc(i32(_20), write) + _19.val_bool := _20.val_int == -2 + // [mir] StorageDead(_20) + // [mir] _18 = Not(move _19) + _18 := builtin$havoc_ref() + inhale acc(_18.val_bool, write) + _18.val_bool := !_19.val_bool + // [mir] StorageDead(_19) + // [mir] switchInt(move _18) -> [0: bb11, otherwise: bb10] + __t38 := _18.val_bool + if (__t38) { + goto bb8 + } + goto bb0 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--capitalize-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--capitalize-Both.vpr new file mode 100644 index 00000000..fe0eeca0 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--capitalize-Both.vpr @@ -0,0 +1,1353 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + + function mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int +} + +domain Snap$struct$m_VecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32 + + function Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) } + Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1), + true] + + +function f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1, + _2), + true] + + +function snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(self: Ref): Snap$struct$m_VecWrapperI32 + requires acc(struct$m_VecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32((unfolding acc(struct$m_VecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_VecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) { + true +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_capitalize() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var _preserve$0: Ref + var __t29: Bool + var __t30: Bool + var __t31: Bool + var __t32: Bool + var __t33: Bool + var __t34: Bool + var __t35: Bool + var __t36: Bool + var __t37: Bool + var __t38: Bool + var __t39: Bool + var __t40: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Int + var _5: Int + var _6: Ref + var _8: Ref + var _10: Ref + var _14: Ref + var _19: Ref + var _24: Ref + var _29: Ref + var _34: Ref + var _38: Ref + var _39: Ref + var _40: Int + var _42: Ref + var _43: Int + var _44: Ref + var _45: Ref + var _46: Int + var _47: Ref + var _48: Int + var _49: Ref + var _50: Ref + var _51: Ref + var _52: Int + var _53: Ref + var _54: Ref + var _55: Int + var _56: Int + var _57: Ref + + label start + // ========== start ========== + // Def path: "nll_rfc_case1::capitalize" + // Span: tests/verify/pass/quick/nll-rfc-case1.rs:66:1: 88:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + __t21 := false + __t22 := false + __t23 := false + __t24 := false + __t25 := false + __t26 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(struct$m_VecWrapperI32(_1.val_ref), write) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] _2 = const 0_usize + _2 := builtin$havoc_ref() + inhale acc(_2.val_int, write) + _2.val_int := 0 + // [mir] FakeRead(ForLet(None), _2) + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_int() + _4 := _2.val_int + label l0 + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = &(*_1) + _6 := builtin$havoc_ref() + inhale acc(_6.val_ref, write) + _6.val_ref := _1.val_ref + exhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + inhale acc(struct$m_VecWrapperI32(_6.val_ref), read$()) + label l1 + // [mir] _5 = VecWrapperI32::len(move _6) -> [return: bb1, unwind: bb33] + label l2 + _5 := builtin$havoc_int() + inhale _5 >= 0 + inhale _5 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_6.val_ref)) + // transfer perm _6.val_ref --> old[l2](_6.val_ref) // unchecked: false + // ========== l3 ========== + // MIR edge bb0 --> bb1 + // Expire borrows + // expire_borrows ReborrowingDAG(L22,L0,) + + if (__t0 && __t0) { + // expire loan L0 + // transfer perm old[l2](_6.val_ref) --> old[l1](_6.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l1](_6.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + } + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_6) + // [mir] _3 = Lt(move _4, move _5) + _3 := builtin$havoc_ref() + inhale acc(_3.val_bool, write) + inhale _5 >= 0 + _3.val_bool := _4 < _5 + // [mir] StorageDead(_5) + // [mir] StorageDead(_4) + // [mir] FakeRead(ForLet(None), _3) + // [mir] goto -> bb2 + // ========== loop2_start ========== + // ========== loop2_group1_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb33] + // ========== loop2_group1_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] _8 = _3 + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := _3.val_bool + label l4 + // [mir] switchInt(move _8) -> [0: bb32, otherwise: bb4] + __t27 := _8.val_bool + if (__t27) { + goto bb0 + } + goto return + + label bb0 + // ========== l6 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_group2_bb4 ========== + __t4 := true + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = const false + _10 := builtin$havoc_ref() + inhale acc(_10.val_bool, write) + _10.val_bool := false + // [mir] switchInt(move _10) -> [0: bb6, otherwise: bb5] + __t28 := _10.val_bool + // Ignore default target bb5, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb2) + _preserve$0 := _1.val_ref + fold acc(usize(_2), write) + // obtain acc(usize(_2), write) + fold acc(bool(_3), write) + // obtain acc(bool(_3), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) && + (0 <= (unfolding acc(usize(_2), write) in _2.val_int) && + (unfolding acc(usize(_2), write) in _2.val_int) < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < _2.val_int ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0) <= + 0))) && + ((unfolding acc(usize(_2), write) in + (let _LET_0 == + (_2.val_int) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(_LET_0 <= _0_quant_0) || + (_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) ==> + old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))) && + ((unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _2.val_int) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) > + 0 ==> + !(old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + -2147483648) && + -old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))) && + (unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _2.val_int) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) <= + 0 ==> + old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))))))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_2), write) && + (acc(bool(_3), write) && + (acc(_1.val_ref, read$()) && + acc(struct$m_VecWrapperI32(_1.val_ref), write))) + _10 := builtin$havoc_ref() + _14 := builtin$havoc_ref() + _19 := builtin$havoc_ref() + _2 := builtin$havoc_ref() + _24 := builtin$havoc_ref() + _29 := builtin$havoc_ref() + _34 := builtin$havoc_ref() + _38 := builtin$havoc_ref() + _39 := builtin$havoc_ref() + _40 := builtin$havoc_int() + _42 := builtin$havoc_ref() + _43 := builtin$havoc_int() + _44 := builtin$havoc_ref() + _45 := builtin$havoc_ref() + _46 := builtin$havoc_int() + _47 := builtin$havoc_ref() + _48 := builtin$havoc_int() + _49 := builtin$havoc_ref() + _50 := builtin$havoc_ref() + _51 := builtin$havoc_ref() + _52 := builtin$havoc_int() + _53 := builtin$havoc_ref() + _54 := builtin$havoc_ref() + _55 := builtin$havoc_int() + _56 := builtin$havoc_int() + _57 := builtin$havoc_ref() + _8 := builtin$havoc_ref() + __t10 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t19 := builtin$havoc_bool() + __t2 := builtin$havoc_bool() + __t20 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t31 := builtin$havoc_bool() + __t32 := builtin$havoc_bool() + __t33 := builtin$havoc_bool() + __t34 := builtin$havoc_bool() + __t35 := builtin$havoc_bool() + __t36 := builtin$havoc_bool() + __t37 := builtin$havoc_bool() + __t38 := builtin$havoc_bool() + __t39 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t40 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + // ========== loop2_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb2 + inhale acc(usize(_2), write) && + (acc(bool(_3), write) && + (acc(_1.val_ref, read$()) && + acc(struct$m_VecWrapperI32(_1.val_ref), write))) + inhale _preserve$0 == _1.val_ref + inhale true + // ========== loop2_group2a_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb33] + // ========== loop2_group2a_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] _8 = _3 + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + unfold acc(bool(_3), write) + _8.val_bool := _3.val_bool + label l7 + // [mir] switchInt(move _8) -> [0: bb32, otherwise: bb4] + __t29 := _8.val_bool + if (__t29) { + goto bb1 + } + goto l3 + + label bb1 + // ========== l9 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_group2b_bb4 ========== + __t4 := true + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = const false + _10 := builtin$havoc_ref() + inhale acc(_10.val_bool, write) + _10.val_bool := false + // [mir] switchInt(move _10) -> [0: bb6, otherwise: bb5] + __t30 := _10.val_bool + // Ignore default target bb5, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb2 + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) && + (0 <= (unfolding acc(usize(_2), write) in _2.val_int) && + (unfolding acc(usize(_2), write) in _2.val_int) < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < _2.val_int ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0) <= + 0))) && + ((unfolding acc(usize(_2), write) in + (let _LET_1 == + (_2.val_int) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(_LET_1 <= _0_quant_0) || + (_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) ==> + old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))) && + ((unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _2.val_int) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) > + 0 ==> + !(old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + -2147483648) && + -old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))) && + (unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _2.val_int) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) <= + 0 ==> + old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))))))) + // ========== loop2_group3_bb6 ========== + __t5 := true + // [mir] _9 = const () + // [mir] goto -> bb7 + // ========== loop2_group3_bb7 ========== + __t6 := true + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] StorageLive(_13) + // [mir] StorageLive(_14) + // [mir] _14 = const false + _14 := builtin$havoc_ref() + inhale acc(_14.val_bool, write) + _14.val_bool := false + // [mir] switchInt(move _14) -> [0: bb9, otherwise: bb8] + __t31 := _14.val_bool + // Ignore default target bb8, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_group3_bb9 ========== + __t7 := true + // [mir] _13 = const () + // [mir] goto -> bb10 + // ========== loop2_group3_bb10 ========== + __t8 := true + // [mir] StorageDead(_14) + // [mir] StorageDead(_13) + // [mir] StorageLive(_18) + // [mir] StorageLive(_19) + // [mir] _19 = const false + _19 := builtin$havoc_ref() + inhale acc(_19.val_bool, write) + _19.val_bool := false + // [mir] switchInt(move _19) -> [0: bb12, otherwise: bb11] + __t32 := _19.val_bool + // Ignore default target bb11, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_group3_bb12 ========== + __t9 := true + // [mir] _18 = const () + // [mir] goto -> bb13 + // ========== loop2_group3_bb13 ========== + __t10 := true + // [mir] StorageDead(_19) + // [mir] StorageDead(_18) + // [mir] StorageLive(_23) + // [mir] StorageLive(_24) + // [mir] _24 = const false + _24 := builtin$havoc_ref() + inhale acc(_24.val_bool, write) + _24.val_bool := false + // [mir] switchInt(move _24) -> [0: bb15, otherwise: bb14] + __t33 := _24.val_bool + // Ignore default target bb14, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_group3_bb15 ========== + __t11 := true + // [mir] _23 = const () + // [mir] goto -> bb16 + // ========== loop2_group3_bb16 ========== + __t12 := true + // [mir] StorageDead(_24) + // [mir] StorageDead(_23) + // [mir] StorageLive(_28) + // [mir] StorageLive(_29) + // [mir] _29 = const false + _29 := builtin$havoc_ref() + inhale acc(_29.val_bool, write) + _29.val_bool := false + // [mir] switchInt(move _29) -> [0: bb18, otherwise: bb17] + __t34 := _29.val_bool + // Ignore default target bb17, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_group3_bb18 ========== + __t13 := true + // [mir] _28 = const () + // [mir] goto -> bb19 + // ========== loop2_group3_bb19 ========== + __t14 := true + // [mir] StorageDead(_29) + // [mir] StorageDead(_28) + // [mir] StorageLive(_33) + // [mir] StorageLive(_34) + // [mir] _34 = const false + _34 := builtin$havoc_ref() + inhale acc(_34.val_bool, write) + _34.val_bool := false + // [mir] switchInt(move _34) -> [0: bb21, otherwise: bb20] + __t35 := _34.val_bool + // Ignore default target bb20, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_group3_bb21 ========== + __t15 := true + // [mir] _33 = const () + // [mir] goto -> bb22 + // ========== loop2_group3_bb22 ========== + __t16 := true + // [mir] StorageDead(_34) + // [mir] StorageDead(_33) + // [mir] StorageLive(_38) + // [mir] StorageLive(_39) + // [mir] _39 = &(*_1) + _39 := builtin$havoc_ref() + inhale acc(_39.val_ref, write) + _39.val_ref := _1.val_ref + exhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + inhale acc(struct$m_VecWrapperI32(_39.val_ref), read$()) + label l10 + // [mir] StorageLive(_40) + // [mir] _40 = _2 + _40 := builtin$havoc_int() + unfold acc(usize(_2), write) + _40 := _2.val_int + label l11 + // [mir] _38 = VecWrapperI32::lookup(move _39, move _40) -> [return: bb23, unwind: bb33] + label l12 + _38 := builtin$havoc_ref() + inhale acc(i32(_38), write) + inhale (unfolding acc(i32(_38), write) in _38.val_int) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_39.val_ref), + _40) + // transfer perm _39.val_ref --> old[l12](_39.val_ref) // unchecked: false + // ========== l13 ========== + // MIR edge bb22 --> bb23 + // Expire borrows + // expire_borrows ReborrowingDAG(L20,L12,) + + if (__t16 && __t16) { + // expire loan L12 + // transfer perm old[l12](_39.val_ref) --> old[l10](_39.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l10](_39.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + } + // ========== loop2_group3_bb23 ========== + __t17 := true + // [mir] StorageDead(_40) + // [mir] StorageDead(_39) + // [mir] FakeRead(ForLet(None), _38) + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] StorageLive(_43) + // [mir] _43 = _38 + _43 := builtin$havoc_int() + unfold acc(i32(_38), write) + _43 := _38.val_int + label l14 + // [mir] _42 = Gt(move _43, const 0_i32) + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := _43 > 0 + // [mir] StorageDead(_43) + // [mir] switchInt(move _42) -> [0: bb27, otherwise: bb24] + __t36 := _42.val_bool + if (__t36) { + goto loop2_group1_bb2 + } + goto loop2_start + + label l3 + // ========== l8 ========== + // MIR edge bb3 --> bb32 + goto end_of_method + + label l5 + // ========== l35 ========== + // MIR edge bb3 --> bb32 + // ========== l40 ========== + // drop Acc(_19.val_bool, write) (Acc(_19.val_bool, write)) + // drop Acc(_57.val_ref, write) (Acc(_57.val_ref, write)) + // drop Acc(_24.val_bool, write) (Acc(_24.val_bool, write)) + // drop Acc(_56.val_int, write) (Acc(_56.val_int, write)) + // drop Acc(_39.val_ref, write) (Acc(_39.val_ref, write)) + // drop Acc(_29.val_bool, write) (Acc(_29.val_bool, write)) + // drop Acc(_42.val_bool, write) (Acc(_42.val_bool, write)) + // drop Acc(_54.tuple_0, write) (Acc(_54.tuple_0, write)) + // drop Acc(old[l31](_57.val_ref), write) (Acc(old[l31](_57.val_ref), write)) + // drop Acc(_14.val_bool, write) (Acc(_14.val_bool, write)) + // drop Acc(_34.val_bool, write) (Acc(_34.val_bool, write)) + // drop Acc(_40.val_int, write) (Acc(_40.val_int, write)) + // drop Acc(old[l10](_39.val_ref), write) (Acc(old[l10](_39.val_ref), write)) + // drop Acc(_38.val_int, write) (Acc(_38.val_int, write)) + // drop Acc(_10.val_bool, write) (Acc(_10.val_bool, write)) + // drop Acc(_43.val_int, write) (Acc(_43.val_int, write)) + // drop Acc(_55.val_int, write) (Acc(_55.val_int, write)) + // drop Acc(_54.tuple_1.val_bool, write) (Acc(_54.tuple_1.val_bool, write)) + // drop Acc(_54.tuple_1, write) (Acc(_54.tuple_1, write)) + goto l6 + + label l6 + // ========== bb32 ========== + __t26 := true + // [mir] StorageLive(_59) + // [mir] _0 = const () + // [mir] StorageDead(_59) + // [mir] StorageDead(_8) + // [mir] StorageDead(_3) + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l38 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) && + ((forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0), + _0_quant_0) <= + 0)) && + ((forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0))) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) > + 0 ==> + !(old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + -2147483648) && + -old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0), + _0_quant_0)))) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0))) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) <= + 0 ==> + old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0), + _0_quant_0)))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_VecWrapperI32(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label loop2_group1_bb2 + // ========== l16 ========== + // MIR edge bb23 --> bb24 + // ========== loop2_group3_bb24 ========== + __t18 := true + // [mir] StorageLive(_44) + // [mir] StorageLive(_45) + // [mir] _45 = &mut (*_1) + _45 := builtin$havoc_ref() + inhale acc(_45.val_ref, write) + _45.val_ref := _1.val_ref + label l17 + // [mir] StorageLive(_46) + // [mir] _46 = _2 + _46 := builtin$havoc_int() + _46 := _2.val_int + label l18 + // [mir] StorageLive(_47) + // [mir] StorageLive(_48) + // [mir] _48 = _38 + _48 := builtin$havoc_int() + _48 := _38.val_int + label l19 + // [mir] _49 = Eq(_48, const i32::MIN) + _49 := builtin$havoc_ref() + inhale acc(_49.val_bool, write) + _49.val_bool := _48 == -2147483648 + // [mir] assert(!move _49, "attempt to negate `{}`, which would overflow", _48) -> [success: bb25, unwind: bb33] + __t37 := _49.val_bool + // Rust assertion: attempt to negate with overflow + assert !__t37 + // ========== loop2_group3_bb25 ========== + __t19 := true + // [mir] _47 = Neg(move _48) + _47 := builtin$havoc_ref() + inhale acc(_47.val_int, write) + _47.val_int := -_48 + // [mir] StorageDead(_48) + // [mir] _44 = VecWrapperI32::store(move _45, move _46, move _47) -> [return: bb26, unwind: bb33] + label l20 + assert 0 <= _46 && + _46 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_45.val_ref)) + assert true + assert _46 >= 0 + fold acc(i32(_47), write) + exhale acc(_45.val_ref, write) && + (acc(struct$m_VecWrapperI32(_45.val_ref), write) && + (_46 >= 0 && acc(i32(_47), write))) + _44 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l20](_45.val_ref)), write) + inhale acc(tuple0$(_44), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l20](_45.val_ref))) == + old[l20](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_45.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l20](_45.val_ref)), + old[l20](_46)) == + old[l20](_47.val_int) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l20](_45.val_ref)))) || + (!(_0_quant_0 == old[l20](_46)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l20](_45.val_ref)), + _0_quant_0) == + old[l20](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_45.val_ref), + _0_quant_0)))))) + label l21 + // ========== l22 ========== + // MIR edge bb25 --> bb26 + // Expire borrows + // expire_borrows ReborrowingDAG(L21,L13,) + + // ========== loop2_group3_bb26 ========== + __t20 := true + // [mir] StorageDead(_47) + // [mir] StorageDead(_46) + // [mir] StorageDead(_45) + // [mir] StorageDead(_44) + // [mir] _41 = const () + // [mir] goto -> bb29 + // ========== l37 ========== + // drop Acc(_49.val_bool, write) (Acc(_49.val_bool, write)) + // drop Acc(_48.val_int, write) (Acc(_48.val_int, write)) + // drop Pred(_44, write) (Pred(_44, write)) + goto loop2_group1_bb3 + + label loop2_group1_bb3 + // ========== loop2_group3_bb29 ========== + __t23 := true + // [mir] StorageDead(_42) + // [mir] StorageDead(_41) + // [mir] _54 = CheckedAdd(_2, const 1_usize) + _54 := builtin$havoc_ref() + inhale acc(_54.tuple_0, write) + inhale acc(_54.tuple_0.val_int, write) + inhale acc(_54.tuple_1, write) + inhale acc(_54.tuple_1.val_bool, write) + _54.tuple_0.val_int := _2.val_int + 1 + _54.tuple_1.val_bool := false + // [mir] assert(!move (_54.1: bool), "attempt to compute `{} + {}`, which would overflow", _2, const 1_usize) -> [success: bb30, unwind: bb33] + __t38 := _54.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t38 + // ========== loop2_group3_bb30 ========== + __t24 := true + // [mir] _2 = move (_54.0: usize) + _2 := _54.tuple_0 + label l29 + // [mir] StorageLive(_55) + // [mir] _55 = _2 + _55 := builtin$havoc_int() + _55 := _2.val_int + label l30 + // [mir] StorageLive(_56) + // [mir] StorageLive(_57) + // [mir] _57 = &(*_1) + _57 := builtin$havoc_ref() + inhale acc(_57.val_ref, write) + _57.val_ref := _1.val_ref + exhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + inhale acc(struct$m_VecWrapperI32(_57.val_ref), read$()) + label l31 + // [mir] _56 = VecWrapperI32::len(move _57) -> [return: bb31, unwind: bb33] + label l32 + _56 := builtin$havoc_int() + inhale _56 >= 0 + inhale _56 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_57.val_ref)) + // transfer perm _57.val_ref --> old[l32](_57.val_ref) // unchecked: false + // ========== l33 ========== + // MIR edge bb30 --> bb31 + // Expire borrows + // expire_borrows ReborrowingDAG(L19,L14,) + + if (__t24 && __t24) { + // expire loan L14 + // transfer perm old[l32](_57.val_ref) --> old[l31](_57.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l31](_57.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + } + // ========== loop2_group3_bb31 ========== + __t25 := true + // [mir] StorageDead(_57) + // [mir] _3 = Lt(move _55, move _56) + inhale _56 >= 0 + _3.val_bool := _55 < _56 + // [mir] StorageDead(_56) + // [mir] StorageDead(_55) + // [mir] _7 = const () + // [mir] StorageDead(_38) + // [mir] StorageDead(_8) + // [mir] goto -> bb2 + // ========== loop2_group4_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb33] + // ========== loop2_group4_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] _8 = _3 + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := _3.val_bool + label l34 + // [mir] switchInt(move _8) -> [0: bb32, otherwise: bb4] + __t39 := _8.val_bool + if (__t39) { + goto loop2_group2_bb4 + } + goto l5 + + label loop2_group2_bb4 + // ========== l36 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_group5_bb4 ========== + __t4 := true + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = const false + _10 := builtin$havoc_ref() + inhale acc(_10.val_bool, write) + _10.val_bool := false + // [mir] switchInt(move _10) -> [0: bb6, otherwise: bb5] + __t40 := _10.val_bool + // Ignore default target bb5, as it is only used by Prusti to type-check a loop invariant. + // ========== loop2_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb2) + fold acc(usize(_2), write) + // obtain acc(usize(_2), write) + fold acc(bool(_3), write) + // obtain acc(bool(_3), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) && + (0 <= (unfolding acc(usize(_2), write) in _2.val_int) && + (unfolding acc(usize(_2), write) in _2.val_int) < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < _2.val_int ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0) <= + 0))) && + ((unfolding acc(usize(_2), write) in + (let _LET_2 == + (_2.val_int) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(_LET_2 <= _0_quant_0) || + (_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) ==> + old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))) && + ((unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _2.val_int) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) > + 0 ==> + !(old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + -2147483648) && + -old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))) && + (unfolding acc(usize(_2), write) in + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _2.val_int) || + (old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) <= + 0 ==> + old[pre](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0)) == + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref), + _0_quant_0))))))))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_2), write) && + (acc(bool(_3), write) && + (acc(_1.val_ref, read$()) && + acc(struct$m_VecWrapperI32(_1.val_ref), write))) + inhale false + goto end_of_method + + label loop2_start + // ========== l15 ========== + // MIR edge bb23 --> bb27 + // ========== loop2_group3_bb27 ========== + __t21 := true + // [mir] StorageLive(_50) + // [mir] StorageLive(_51) + // [mir] _51 = &mut (*_1) + _51 := builtin$havoc_ref() + inhale acc(_51.val_ref, write) + _51.val_ref := _1.val_ref + label l23 + // [mir] StorageLive(_52) + // [mir] _52 = _2 + _52 := builtin$havoc_int() + _52 := _2.val_int + label l24 + // [mir] StorageLive(_53) + // [mir] _53 = _38 + _53 := builtin$havoc_ref() + inhale acc(_53.val_int, write) + _53.val_int := _38.val_int + label l25 + // [mir] _50 = VecWrapperI32::store(move _51, move _52, move _53) -> [return: bb28, unwind: bb33] + label l26 + assert 0 <= _52 && + _52 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_51.val_ref)) + assert true + assert _52 >= 0 + fold acc(i32(_53), write) + exhale acc(_51.val_ref, write) && + (acc(struct$m_VecWrapperI32(_51.val_ref), write) && + (_52 >= 0 && acc(i32(_53), write))) + _50 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l26](_51.val_ref)), write) + inhale acc(tuple0$(_50), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l26](_51.val_ref))) == + old[l26](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_51.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l26](_51.val_ref)), + old[l26](_52)) == + old[l26](_53.val_int) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l26](_51.val_ref)))) || + (!(_0_quant_0 == old[l26](_52)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l26](_51.val_ref)), + _0_quant_0) == + old[l26](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_51.val_ref), + _0_quant_0)))))) + label l27 + // ========== l28 ========== + // MIR edge bb27 --> bb28 + // Expire borrows + // expire_borrows ReborrowingDAG(L23,L15,) + + // ========== loop2_group3_bb28 ========== + __t22 := true + // [mir] StorageDead(_53) + // [mir] StorageDead(_52) + // [mir] StorageDead(_51) + // [mir] StorageDead(_50) + // [mir] _41 = const () + // [mir] goto -> bb29 + // ========== l39 ========== + // drop Pred(_50, write) (Pred(_50, write)) + goto loop2_group1_bb3 + + label return + // ========== l5 ========== + // MIR edge bb3 --> bb32 + goto l6 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--main-Both.vpr new file mode 100644 index 00000000..159375d2 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/nll-rfc-case1.rs/tests_verify_pass_quick_nll-rfc-case1_nll-rfc-case1.rs_nll_rfc_case1--main-Both.vpr @@ -0,0 +1,305 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var _1: Ref + + label start + // ========== start ========== + // Def path: "nll_rfc_case1::main" + // Span: tests/verify/pass/quick/nll-rfc-case1.rs:114:1: 116:2 (#0) + __t0 := false + __t1 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_1) + // [mir] _1 = bar() -> [return: bb1, unwind: bb2] + label l0 + _1 := builtin$havoc_ref() + inhale acc(tuple0$(_1), write) + inhale true + label l1 + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_1) + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l3 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--borrow_nth-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--borrow_nth-Both.vpr new file mode 100644 index 00000000..d759ce05 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--borrow_nth-Both.vpr @@ -0,0 +1,1001 @@ +domain MirrorDomain { + + function mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + + function mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Route, _r_0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Route :: + { Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + requires true + requires 0 <= _2 && _2 < f_length__$TY$__Snap$struct$m_Route$$int$(_1) + ensures true + ensures [result == + mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1, _2), + true] +{ + (_2 != 0 ? + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)), + _2 - 1)) : + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(_1))) +} + +function f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int + requires true + requires true + ensures result > 0 + ensures [result == + mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + 1 : + 1 + + f_length__$TY$__Snap$struct$m_Route$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)))) +} + +function m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.enum_Some.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self.enum_Some.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Route(self.val_ref), write) +} + +method m_borrow_nth() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Int + var __t12: Bool + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Int + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Int + var _11: Ref + var _12: Ref + var _13: Ref + var _14: Ref + var _15: Int + var _16: Ref + + label start + // ========== start ========== + // Def path: "routes::borrow_nth" + // Span: tests/verify/pass/quick/routes.rs:54:1: 63:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Route(_1.val_ref), write) && acc(i32(_2), write)) + inhale true + inhale 0 <= (unfolding acc(i32(_2), write) in _2.val_int) && + (unfolding acc(i32(_2), write) in _2.val_int) < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_int() + unfold acc(i32(_2), write) + _6 := _2.val_int + label l0 + // [mir] _5 = Eq(move _6, const 0_i32) + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := _6 == 0 + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb2, otherwise: bb1] + __t10 := _5.val_bool + if (__t10) { + goto bb1 + } + goto bb0 + + label bb0 + // ========== l1 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] StorageLive(_9) + // [mir] FakeRead(ForMatchedPlace(None), ((*_1).1: std::option::Option>)) + // [mir] _10 = discriminant(((*_1).1: std::option::Option>)) + _10 := builtin$havoc_int() + unfold acc(struct$m_Route(_1.val_ref), write) + _10 := m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(_1.val_ref.f$rest) + // [mir] switchInt(move _10) -> [0: bb3, 1: bb4, otherwise: bb5] + __t11 := _10 + // Ignore default target bb5, as the compiler marked it as unreachable. + if (__t11 == 0) { + goto l2 + } + goto l1 + + label bb1 + // ========== l2 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t1 := true + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] _8 = &mut ((*_1).0: Point) + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + unfold acc(struct$m_Route(_1.val_ref), write) + _8.val_ref := _1.val_ref.f$current + label l3 + // [mir] _7 = &mut (*_8) + _7 := builtin$havoc_ref() + inhale acc(_7.val_ref, write) + _7.val_ref := _8.val_ref + label l4 + // [mir] _4 = &mut (*_7) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + _4.val_ref := _7.val_ref + label l5 + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] goto -> bb9 + // ========== l20 ========== + // drop Pred(_1.val_ref.f$rest, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + // drop Acc(_7.val_ref, write) (Acc(_7.val_ref, write)) + goto bb2 + + label bb2 + // ========== bb9 ========== + __t8 := true + // [mir] _3 = &mut (*_4) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + _3.val_ref := _4.val_ref + label l16 + // [mir] StorageDead(_5) + // [mir] _0 = &mut (*_3) + _0 := builtin$havoc_ref() + inhale acc(_0.val_ref, write) + _0.val_ref := _3.val_ref + label l17 + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] return + // obtain ((acc(struct$m_Point(_0.val_ref), write)) && (true)) && ((true) && (true)) + label l18 + package acc(DeadBorrowToken$(-1), write) && + acc(struct$m_Point(old[l18](_0.val_ref)), write) --* + acc(struct$m_Route(old[pre](_1.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref))) == + old[pre](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) == + old[lhs]((unfolding acc(struct$m_Point(old[l18](_0.val_ref)), write) in + (unfolding acc(i32(old[l18](_0.val_ref).f$x), write) in + old[l18](_0.val_ref).f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)))) || + (!(_0_quant_0 == + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + _0_quant_0) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + _0_quant_0))))))) { + var _old$l13$0$p0: Ref + // expire_borrows ReborrowingDAG(L4,L3,L8,L7,L2,L1,L12,L13,L6,L5,L0,) + + if (__t8) { + // expire loan L4 + // transfer perm _0.val_ref --> old[l17](_3.val_ref) // unchecked: false + } + if (__t8 && __t8) { + // expire loan L3 + // transfer perm old[l17](_3.val_ref) --> old[l16](_3.val_ref) // unchecked: false + // transfer perm old[l16](_3.val_ref) --> old[l16](_4.val_ref) // unchecked: false + } + if (__t8 && __t8 && __t7) { + // restored (from log): Acc(_1.val_ref.f$rest[enum_Some], write) + // restored (from log): Acc(_1.val_ref.f$rest[enum_Some].f$0, write) + // restored (from log): Acc(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write) + // restored (from log): Acc(_1.val_ref.f$rest.discriminant, write) + // restored (from log): Acc(_9.val_ref, write) + // restored (from log): Acc(_11.val_ref, write) + // restored (from log): Acc(_12.val_ref, write) + // restored (from log): Pred(_1.val_ref.f$current, write) + } + if (__t8 && __t8 && __t1) { + // restored (from log): Pred(_1.val_ref.f$rest, write) + // restored (from log): Acc(_8.val_ref, write) + // restored (from log): Acc(_7.val_ref, write) + } + if (__t7 && (__t8 && __t8)) { + // expire loan L8 + // transfer perm old[l16](_4.val_ref) --> old[l15](_4.val_ref) // unchecked: false + // transfer perm old[l15](_4.val_ref) --> old[l15](_9.val_ref) // unchecked: false + } + if (__t7 && (__t7 && (__t8 && __t8))) { + // expire loan L7 + // transfer perm old[l15](_9.val_ref) --> old[l14](_9.val_ref) // unchecked: false + // transfer perm old[l14](_9.val_ref) --> old[l14](_12.val_ref) // unchecked: false + } + if (__t1 && (__t8 && __t8)) { + // expire loan L2 + // transfer perm old[l16](_4.val_ref) --> old[l5](_4.val_ref) // unchecked: false + // transfer perm old[l5](_4.val_ref) --> old[l5](_7.val_ref) // unchecked: false + } + if (__t1 && (__t1 && (__t8 && __t8))) { + // expire loan L1 + // transfer perm old[l5](_7.val_ref) --> old[l4](_7.val_ref) // unchecked: false + // transfer perm old[l4](_7.val_ref) --> old[l4](_8.val_ref) // unchecked: false + } + if (__t6 && (__t7 && (__t7 && (__t8 && __t8)))) { + // expire loan L12 + _old$l13$0$p0 := old[l14](_12.val_ref) + inhale acc(DeadBorrowToken$(12), write) && + acc(struct$m_Point(_old$l13$0$p0), write) --* + acc(struct$m_Route(old[l12](_13.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref))) == + old[l12](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + old[l12](_14.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l13$0$p0), write) in + (unfolding acc(i32(_old$l13$0$p0.f$x), write) in + _old$l13$0$p0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)))) || + (!(_0_quant_0 == old[l12](_14.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + _0_quant_0) == + old[l12](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref), + _0_quant_0))))))) + inhale acc(DeadBorrowToken$(12), write) + apply acc(DeadBorrowToken$(12), write) && + acc(struct$m_Point(_old$l13$0$p0), write) --* + acc(struct$m_Route(old[l12](_13.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref))) == + old[l12](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + old[l12](_14.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l13$0$p0), write) in + (unfolding acc(i32(_old$l13$0$p0.f$x), write) in + _old$l13$0$p0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)))) || + (!(_0_quant_0 == old[l12](_14.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + _0_quant_0) == + old[l12](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref), + _0_quant_0))))))) + } + if (__t6 && (__t6 && (__t7 && (__t7 && (__t8 && __t8))))) { + // expire loan L13 + } + if (__t5 && (__t6 && (__t6 && (__t7 && (__t7 && (__t8 && __t8)))))) { + // expire loan L6 + // transfer perm old[l12](_13.val_ref) --> old[l9](_13.val_ref) // unchecked: false + // transfer perm old[l9](_13.val_ref) --> old[l9](_11.val_ref) // unchecked: false + } + if (__t5 && + (__t5 && (__t6 && (__t6 && (__t7 && (__t7 && (__t8 && __t8))))))) { + // expire loan L5 + // transfer perm old[l9](_11.val_ref) --> old[l8](_11.val_ref) // unchecked: false + // transfer perm old[l8](_11.val_ref) --> _1.val_ref.f$rest[enum_Some].f$0.val_ref // unchecked: false + assert acc(old[l18](_1.val_ref).f$rest, read$()) + assert acc(old[l18](_1.val_ref).f$rest.enum_Some, read$()) + assert acc(old[l18](_1.val_ref).f$rest.enum_Some.f$0, read$()) + fold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(old[l18](_1.val_ref).f$rest.enum_Some.f$0), write) + assert acc(old[l18](_1.val_ref).f$rest, read$()) + assert acc(old[l18](_1.val_ref).f$rest.enum_Some, read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(old[l18](_1.val_ref).f$rest.enum_Some), write) + assert acc(old[l18](_1.val_ref).f$rest, read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(old[l18](_1.val_ref).f$rest), write) + // drop Acc(_9.val_ref, write) (Acc(_9.val_ref, write)) + // restored (in branch merge): Acc(_9.val_ref, write) (Acc(_9.val_ref, write)) + // drop Acc(old[l14](_12.val_ref), write) (Acc(old[l14](_12.val_ref), write)) + // drop Acc(_11.val_ref, write) (Acc(_11.val_ref, write)) + // restored (in branch merge): Acc(_11.val_ref, write) (Acc(_11.val_ref, write)) + // drop Acc(_12.val_ref, write) (Acc(_12.val_ref, write)) + // restored (in branch merge): Acc(_12.val_ref, write) (Acc(_12.val_ref, write)) + } + if (__t1 && (__t1 && (__t1 && (__t8 && __t8)))) { + // expire loan L0 + // transfer perm old[l4](_8.val_ref) --> old[l3](_8.val_ref) // unchecked: false + // transfer perm old[l3](_8.val_ref) --> _1.val_ref.f$current // unchecked: false + // drop Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + // restored (in branch merge): Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + // drop Acc(_7.val_ref, write) (Acc(_7.val_ref, write)) + // restored (in branch merge): Acc(_7.val_ref, write) (Acc(_7.val_ref, write)) + } + // Fold predicates for &mut args + // transfer perm _1.val_ref --> old[pre](_1.val_ref) // unchecked: false + fold acc(struct$m_Route(old[pre](_1.val_ref)), write) + // obtain acc(struct$m_Route(old[pre](_1.val_ref)), write) + } + // transfer perm old[l18](_0.val_ref) --> _0.val_ref // unchecked: false + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l19 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + // obtain acc(struct$m_Point(_0.val_ref), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(struct$m_Point(_0.val_ref), write) in + (unfolding acc(i32(_0.val_ref.f$x), write) in + _0.val_ref.f$x.val_int == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + (unfolding acc(i32(_2), write) in _2.val_int))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(_0.val_ref, write) && acc(struct$m_Point(_0.val_ref), write) + // Exhale permissions of postcondition (3/3) + exhale acc(DeadBorrowToken$(-1), write) && + acc(struct$m_Point(old[l19](_0.val_ref)), write) --* + acc(struct$m_Route(old[pre](_1.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref))) == + old[pre](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) == + old[lhs]((unfolding acc(struct$m_Point(old[l19](_0.val_ref)), write) in + (unfolding acc(i32(old[l19](_0.val_ref).f$x), write) in + old[l19](_0.val_ref).f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)))) || + (!(_0_quant_0 == + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + _0_quant_0) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + _0_quant_0))))))) + goto end_of_method + + label l1 + // ========== l6 ========== + // MIR edge bb2 --> bb4 + // ========== bb4 ========== + __t4 := true + // [mir] falseEdge -> [real: bb6, imaginary: bb3] + // ========== bb6 ========== + __t5 := true + // [mir] StorageLive(_11) + // [mir] _11 = &mut (*((((*_1).1: std::option::Option>) as Some).0: std::boxed::Box)) + _11 := builtin$havoc_ref() + inhale acc(_11.val_ref, write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), write) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), write) + _11.val_ref := _1.val_ref.f$rest.enum_Some.f$0.val_ref + label l8 + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = &mut (*_11) + _13 := builtin$havoc_ref() + inhale acc(_13.val_ref, write) + _13.val_ref := _11.val_ref + label l9 + // [mir] StorageLive(_14) + // [mir] StorageLive(_15) + // [mir] _15 = _2 + _15 := builtin$havoc_int() + _15 := _2.val_int + label l10 + // [mir] _16 = CheckedSub(_15, const 1_i32) + _16 := builtin$havoc_ref() + inhale acc(_16.tuple_0, write) + inhale acc(_16.tuple_0.val_int, write) + inhale acc(_16.tuple_1, write) + inhale acc(_16.tuple_1.val_bool, write) + _16.tuple_0.val_int := _15 - 1 + _16.tuple_1.val_bool := false + // [mir] assert(!move (_16.1: bool), "attempt to compute `{} - {}`, which would overflow", move _15, const 1_i32) -> [success: bb7, unwind: bb10] + __t12 := _16.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t12 + // ========== bb7 ========== + __t6 := true + // [mir] _14 = move (_16.0: i32) + _14 := _16.tuple_0 + label l11 + // [mir] StorageDead(_15) + // [mir] _12 = borrow_nth(move _13, move _14) -> [return: bb8, unwind: bb10] + label l12 + assert 0 <= _14.val_int && + _14.val_int < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref)) + assert true + fold acc(i32(_14), write) + exhale acc(_13.val_ref, write) && + (acc(struct$m_Route(_13.val_ref), write) && acc(i32(_14), write)) + _12 := builtin$havoc_ref() + inhale acc(_12.val_ref, write) && acc(struct$m_Point(_12.val_ref), write) + inhale true + inhale (unfolding acc(struct$m_Point(_12.val_ref), write) in + (unfolding acc(i32(_12.val_ref.f$x), write) in + _12.val_ref.f$x.val_int == + old[l12](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref), + _14.val_int)))) + label l13 + // ========== bb8 ========== + __t7 := true + // [mir] _9 = &mut (*_12) + _9 := builtin$havoc_ref() + inhale acc(_9.val_ref, write) + _9.val_ref := _12.val_ref + label l14 + // [mir] StorageDead(_14) + // [mir] StorageDead(_13) + // [mir] StorageDead(_12) + // [mir] StorageDead(_11) + // [mir] _4 = &mut (*_9) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + _4.val_ref := _9.val_ref + label l15 + // [mir] StorageDead(_9) + // [mir] goto -> bb9 + // ========== l21 ========== + // drop Acc(_1.val_ref.f$rest[enum_Some], write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_1.val_ref.f$rest[enum_Some].f$0, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_1.val_ref.f$rest.discriminant, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_9.val_ref, write) (Acc(_9.val_ref, write)) + // drop Acc(_10.val_int, write) (Acc(_10.val_int, write)) + // drop Acc(_11.val_ref, write) (Acc(_11.val_ref, write)) + // drop Acc(_15.val_int, write) (Acc(_15.val_int, write)) + // drop Acc(_16.tuple_0, write) (Acc(_16.tuple_0, write)) + // drop Acc(_16.tuple_1.val_bool, write) (Acc(_16.tuple_1.val_bool, write)) + // drop Acc(_12.val_ref, write) (Acc(_12.val_ref, write)) + // drop Pred(_1.val_ref.f$current, write) (Pred(_1.val_ref.f$current, write)) + // drop Acc(_16.tuple_1, write) (Acc(_16.tuple_1, write)) + goto bb2 + + label l2 + // ========== l7 ========== + // MIR edge bb2 --> bb3 + // ========== bb3 ========== + __t9 := true + // [mir] StorageLive(_17) + // [mir] _17 = core::panicking::panic(const "internal error: entered unreachable code") -> bb10 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label return + // ========== bb5 ========== + __t3 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--get_nth_x-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--get_nth_x-Both.vpr new file mode 100644 index 00000000..339b89c2 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--get_nth_x-Both.vpr @@ -0,0 +1,766 @@ +domain MirrorDomain { + + function mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Route, _r_0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Route :: + { Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int + requires true + requires true + ensures result > 0 + ensures [result == + mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + 1 : + 1 + + f_length__$TY$__Snap$struct$m_Route$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)))) +} + +function m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.enum_Some.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self.enum_Some.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Route(self.val_ref), write) +} + +method m_get_nth_x() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Int + var __t12: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Int + var _5: Int + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Int + var _10: Ref + + label start + // ========== start ========== + // Def path: "routes::get_nth_x" + // Span: tests/verify/pass/quick/routes.rs:33:1: 40:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Route(_1.val_ref), read$()) && acc(i32(_2), write)) + inhale 0 <= (unfolding acc(i32(_2), write) in _2.val_int) && + (unfolding acc(i32(_2), write) in _2.val_int) < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_int() + unfold acc(i32(_2), write) + _4 := _2.val_int + label l0 + // [mir] _3 = Eq(move _4, const 0_i32) + _3 := builtin$havoc_ref() + inhale acc(_3.val_bool, write) + _3.val_bool := _4 == 0 + // [mir] StorageDead(_4) + // [mir] switchInt(move _3) -> [0: bb2, otherwise: bb1] + __t10 := _3.val_bool + if (__t10) { + goto bb1 + } + goto bb0 + + label bb0 + // ========== l1 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] FakeRead(ForMatchedPlace(None), ((*_1).1: std::option::Option>)) + // [mir] _5 = discriminant(((*_1).1: std::option::Option>)) + _5 := builtin$havoc_int() + unfold acc(struct$m_Route(_1.val_ref), read$()) + _5 := m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(_1.val_ref.f$rest) + // [mir] switchInt(move _5) -> [0: bb3, 1: bb4, otherwise: bb5] + __t11 := _5 + // Ignore default target bb5, as the compiler marked it as unreachable. + if (__t11 == 0) { + goto l2 + } + goto l1 + + label bb1 + // ========== l2 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t1 := true + // [mir] _0 = (((*_1).0: Point).0: i32) + _0 := builtin$havoc_ref() + inhale acc(_0.val_int, write) + unfold acc(struct$m_Route(_1.val_ref), read$()) + unfold acc(struct$m_Point(_1.val_ref.f$current), read$()) + unfold acc(i32(_1.val_ref.f$current.f$x), read$()) + _0.val_int := _1.val_ref.f$current.f$x.val_int + label l3 + // [mir] goto -> bb9 + goto bb2 + + label bb2 + // ========== bb9 ========== + __t8 := true + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l14 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref.f$current.f$x), read$()) + fold acc(struct$m_Point(_1.val_ref.f$current), read$()) + fold acc(struct$m_Route(_1.val_ref), read$()) + // obtain acc(struct$m_Route(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0), write) + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Route(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label l1 + // ========== l4 ========== + // MIR edge bb2 --> bb4 + // ========== bb4 ========== + __t4 := true + // [mir] falseEdge -> [real: bb6, imaginary: bb3] + // ========== bb6 ========== + __t5 := true + // [mir] StorageLive(_6) + // [mir] _6 = &(*((((*_1).1: std::option::Option>) as Some).0: std::boxed::Box)) + _6 := builtin$havoc_ref() + inhale acc(_6.val_ref, write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + _6.val_ref := _1.val_ref.f$rest.enum_Some.f$0.val_ref + inhale acc(struct$m_Route(_6.val_ref), read$()) + label l6 + // [mir] StorageLive(_7) + // [mir] _7 = &(*_6) + _7 := builtin$havoc_ref() + inhale acc(_7.val_ref, write) + _7.val_ref := _6.val_ref + inhale acc(struct$m_Route(_7.val_ref), read$()) + label l7 + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = _2 + _9 := builtin$havoc_int() + _9 := _2.val_int + label l8 + // [mir] _10 = CheckedSub(_9, const 1_i32) + _10 := builtin$havoc_ref() + inhale acc(_10.tuple_0, write) + inhale acc(_10.tuple_0.val_int, write) + inhale acc(_10.tuple_1, write) + inhale acc(_10.tuple_1.val_bool, write) + _10.tuple_0.val_int := _9 - 1 + _10.tuple_1.val_bool := false + // [mir] assert(!move (_10.1: bool), "attempt to compute `{} - {}`, which would overflow", move _9, const 1_i32) -> [success: bb7, unwind: bb10] + __t12 := _10.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t12 + // ========== bb7 ========== + __t6 := true + // [mir] _8 = move (_10.0: i32) + _8 := _10.tuple_0 + label l9 + // [mir] StorageDead(_9) + // [mir] _0 = get_nth_x(move _7, move _8) -> [return: bb8, unwind: bb10] + label l10 + assert 0 <= _8.val_int && + _8.val_int < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_7.val_ref)) + fold acc(i32(_8), write) + exhale acc(_7.val_ref, write) && acc(i32(_8), write) + _0 := builtin$havoc_ref() + inhale acc(i32(_0), write) + // transfer perm _7.val_ref --> old[l10](_7.val_ref) // unchecked: true + label l11 + // ========== l12 ========== + // MIR edge bb7 --> bb8 + // Expire borrows + // expire_borrows ReborrowingDAG(L5,L4,L3,) + + if (__t5 && __t6) { + // expire loan L4 + // transfer perm old[l10](_7.val_ref) --> old[l7](_7.val_ref) // unchecked: false + exhale acc(struct$m_Route(old[l7](_7.val_ref)), read$()) + } + if (__t5 && (__t5 && __t6)) { + // expire loan L3 + exhale acc(struct$m_Route(_6.val_ref), read$()) + } + // ========== bb8 ========== + __t7 := true + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] StorageDead(_6) + // [mir] goto -> bb9 + // ========== l13 ========== + fold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(i32(_0), write) + // drop Acc(_5.val_int, write) (Acc(_5.val_int, write)) + // drop Acc(_10.tuple_1.val_bool, write) (Acc(_10.tuple_1.val_bool, write)) + // drop Acc(_6.val_ref, write) (Acc(_6.val_ref, write)) + unfold acc(struct$m_Point(_1.val_ref.f$current), read$()) + unfold acc(i32(_1.val_ref.f$current.f$x), read$()) + // drop Acc(_9.val_int, write) (Acc(_9.val_int, write)) + // drop Acc(_10.tuple_0, write) (Acc(_10.tuple_0, write)) + // drop Acc(_10.tuple_1, write) (Acc(_10.tuple_1, write)) + goto bb2 + + label l2 + // ========== l5 ========== + // MIR edge bb2 --> bb3 + // ========== bb3 ========== + __t9 := true + // [mir] StorageLive(_11) + // [mir] _11 = core::panicking::panic(const "internal error: entered unreachable code") -> bb10 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label return + // ========== bb5 ========== + __t3 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--length-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--length-Both.vpr new file mode 100644 index 00000000..d5caca05 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--length-Both.vpr @@ -0,0 +1,672 @@ +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Route, _r_0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Route :: + { Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.enum_Some.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self.enum_Some.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Route(self.val_ref), write) +} + +method m_length() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Int + var __t9: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Int + var _4: Ref + var _5: Ref + var _6: Ref + + label start + // ========== start ========== + // Def path: "routes::length" + // Span: tests/verify/pass/quick/routes.rs:24:1: 29:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(struct$m_Route(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] FakeRead(ForMatchedPlace(None), ((*_1).1: std::option::Option>)) + // [mir] _3 = discriminant(((*_1).1: std::option::Option>)) + _3 := builtin$havoc_int() + unfold acc(struct$m_Route(_1.val_ref), read$()) + _3 := m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(_1.val_ref.f$rest) + // [mir] switchInt(move _3) -> [0: bb1, 1: bb2, otherwise: bb3] + __t8 := _3 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t8 == 0) { + goto l0 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb1] + // ========== bb4 ========== + __t3 := true + // [mir] StorageLive(_4) + // [mir] _4 = &(*((((*_1).1: std::option::Option>) as Some).0: std::boxed::Box)) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + _4.val_ref := _1.val_ref.f$rest.enum_Some.f$0.val_ref + inhale acc(struct$m_Route(_4.val_ref), read$()) + label l2 + // [mir] StorageLive(_5) + // [mir] _5 = &(*_4) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _4.val_ref + inhale acc(struct$m_Route(_5.val_ref), read$()) + label l3 + // [mir] _2 = length(move _5) -> [return: bb5, unwind: bb8] + label l4 + exhale acc(_5.val_ref, write) + _2 := builtin$havoc_ref() + inhale acc(i32(_2), write) + // transfer perm _5.val_ref --> old[l4](_5.val_ref) // unchecked: true + inhale (unfolding acc(i32(_2), write) in _2.val_int > 0) + label l5 + // ========== l6 ========== + // MIR edge bb4 --> bb5 + // Expire borrows + // expire_borrows ReborrowingDAG(L4,L3,L5,) + + if (__t3 && __t3) { + // expire loan L3 + // transfer perm old[l4](_5.val_ref) --> old[l3](_5.val_ref) // unchecked: false + exhale acc(struct$m_Route(old[l3](_5.val_ref)), read$()) + } + if (__t3 && (__t3 && __t3)) { + // expire loan L5 + exhale acc(struct$m_Route(_4.val_ref), read$()) + } + // ========== bb5 ========== + __t4 := true + // [mir] StorageDead(_5) + // [mir] StorageDead(_4) + // [mir] goto -> bb6 + // ========== l8 ========== + fold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(i32(_2), write) + // drop Acc(_4.val_ref, write) (Acc(_4.val_ref, write)) + goto l1 + + label l0 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t5 := true + // [mir] _2 = const 0_i32 + _2 := builtin$havoc_ref() + inhale acc(_2.val_int, write) + _2.val_int := 0 + // [mir] goto -> bb6 + goto l1 + + label l1 + // ========== bb6 ========== + __t6 := true + // [mir] _6 = CheckedAdd(const 1_i32, _2) + _6 := builtin$havoc_ref() + inhale acc(_6.tuple_0, write) + inhale acc(_6.tuple_0.val_int, write) + inhale acc(_6.tuple_1, write) + inhale acc(_6.tuple_1.val_bool, write) + _6.tuple_0.val_int := 1 + _2.val_int + _6.tuple_1.val_bool := false + // [mir] assert(!move (_6.1: bool), "attempt to compute `{} + {}`, which would overflow", const 1_i32, move _2) -> [success: bb7, unwind: bb8] + __t9 := _6.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t9 + // ========== bb7 ========== + __t7 := true + // [mir] _0 = move (_6.0: i32) + _0 := _6.tuple_0 + label l7 + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l9 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_Route(_1.val_ref), read$()) + // obtain acc(struct$m_Route(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0), write) + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(i32(_0), write) in _0.val_int > 0) + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Route(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--main-Both.vpr new file mode 100644 index 00000000..426f75e3 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--main-Both.vpr @@ -0,0 +1,292 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + + label start + // ========== start ========== + // Def path: "routes::main" + // Span: tests/verify/pass/quick/routes.rs:74:1: 74:13 (#0) + __t0 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l1 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_nth_x-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_nth_x-Both.vpr new file mode 100644 index 00000000..fe8bb986 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_nth_x-Both.vpr @@ -0,0 +1,660 @@ +domain MirrorDomain { + + function mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + + function mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + requires true + requires 0 <= _2 && _2 < f_length__$TY$__Snap$struct$m_Route$$int$(_1) + ensures true + ensures [result == + mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1, _2), + true] +{ + (_2 != 0 ? + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)), + _2 - 1)) : + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(_1))) +} + +function f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int + requires true + requires true + ensures result > 0 + ensures [result == + mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + 1 : + 1 + + f_length__$TY$__Snap$struct$m_Route$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)))) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate tuple0$(self: Ref) { + true +} + +method m_shift_nth_x() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var _old$l3$0: Ref + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Ref + + label start + // ========== start ========== + // Def path: "routes::shift_nth_x" + // Span: tests/verify/pass/quick/routes.rs:69:1: 72:2 (#0) + __t0 := false + __t1 := false + __t2 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Route(_1.val_ref), write) && + (acc(i32(_2), write) && acc(i32(_3), write))) + inhale true + inhale 0 <= (unfolding acc(i32(_2), write) in _2.val_int) && + (unfolding acc(i32(_2), write) in _2.val_int) < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] _5 = &mut (*_1) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _1.val_ref + label l0 + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_ref() + inhale acc(_6.val_int, write) + unfold acc(i32(_2), write) + _6.val_int := _2.val_int + label l1 + // [mir] _4 = borrow_nth(move _5, move _6) -> [return: bb1, unwind: bb3] + label l2 + assert 0 <= _6.val_int && + _6.val_int < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref)) + assert true + fold acc(i32(_6), write) + exhale acc(_5.val_ref, write) && + (acc(struct$m_Route(_5.val_ref), write) && acc(i32(_6), write)) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) && acc(struct$m_Point(_4.val_ref), write) + inhale true + inhale (unfolding acc(struct$m_Point(_4.val_ref), write) in + (unfolding acc(i32(_4.val_ref.f$x), write) in + _4.val_ref.f$x.val_int == + old[l2](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref), + _6.val_int)))) + label l3 + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_6) + // [mir] StorageDead(_5) + // [mir] FakeRead(ForLet(None), _4) + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] _8 = &mut (*_4) + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + _8.val_ref := _4.val_ref + label l4 + // [mir] StorageLive(_9) + // [mir] _9 = _3 + _9 := builtin$havoc_ref() + inhale acc(_9.val_int, write) + unfold acc(i32(_3), write) + _9.val_int := _3.val_int + label l5 + // [mir] _7 = shift_x(move _8, move _9) -> [return: bb2, unwind: bb3] + label l6 + assert true + fold acc(i32(_9), write) + exhale acc(_8.val_ref, write) && + (acc(struct$m_Point(_8.val_ref), write) && acc(i32(_9), write)) + _7 := builtin$havoc_ref() + inhale acc(struct$m_Point(old[l6](_8.val_ref)), write) + inhale acc(tuple0$(_7), write) + inhale true + inhale (unfolding acc(struct$m_Point(old[l6](_8.val_ref)), write) in + (unfolding acc(i32(old[l6](_8.val_ref).f$y), write) in + (unfolding acc(i32(old[l6](_8.val_ref).f$x), write) in + old[l6](_8.val_ref).f$x.val_int == + old[l6]((unfolding acc(struct$m_Point(_8.val_ref), write) in + (unfolding acc(i32(_8.val_ref.f$x), write) in + _8.val_ref.f$x.val_int))) + + old[l6](_9.val_int) && + old[l6](_8.val_ref).f$y.val_int == + old[l6]((unfolding acc(struct$m_Point(_8.val_ref), write) in + (unfolding acc(i32(_8.val_ref.f$y), write) in + _8.val_ref.f$y.val_int)))))) + label l7 + // ========== l8 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L5,L1,L6,L7,L0,) + + if (__t0 && (__t1 && __t1)) { + // expire loan L6 + _old$l3$0 := _4.val_ref + inhale acc(DeadBorrowToken$(6), write) && + acc(struct$m_Point(_old$l3$0), write) --* + acc(struct$m_Route(old[l2](_5.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref))) == + old[l2](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + old[l2](_6.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l3$0), write) in + (unfolding acc(i32(_old$l3$0.f$x), write) in _old$l3$0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)))) || + (!(_0_quant_0 == old[l2](_6.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + _0_quant_0) == + old[l2](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref), + _0_quant_0))))))) + inhale acc(DeadBorrowToken$(6), write) + apply acc(DeadBorrowToken$(6), write) && + acc(struct$m_Point(_old$l3$0), write) --* + acc(struct$m_Route(old[l2](_5.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref))) == + old[l2](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + old[l2](_6.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l3$0), write) in + (unfolding acc(i32(_old$l3$0.f$x), write) in _old$l3$0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)))) || + (!(_0_quant_0 == old[l2](_6.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + _0_quant_0) == + old[l2](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref), + _0_quant_0))))))) + } + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_9) + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] _0 = const () + // [mir] StorageDead(_4) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l10 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(struct$m_Route(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0)) == + old[pre](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0), + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + (unfolding acc(i32(_2), write) in _2.val_int))) + + old[pre]((unfolding acc(i32(_3), write) in _3.val_int)) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0))) || + (!(_0_quant_0 == + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0), + _0_quant_0) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + _0_quant_0)))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Route(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_x-Both.vpr b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_x-Both.vpr new file mode 100644 index 00000000..437fe126 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/quick/routes.rs/tests_verify_pass_quick_routes_routes.rs_routes--shift_x-Both.vpr @@ -0,0 +1,377 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate tuple0$(self: Ref) { + true +} + +method m_shift_x() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Int + var _4: Int + var _5: Ref + + label start + // ========== start ========== + // Def path: "routes::shift_x" + // Span: tests/verify/pass/quick/routes.rs:13:1: 15:2 (#0) + __t0 := false + __t1 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Point(_1.val_ref), write) && acc(i32(_2), write)) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] _3 = ((*_1).0: i32) + _3 := builtin$havoc_int() + unfold acc(struct$m_Point(_1.val_ref), write) + unfold acc(i32(_1.val_ref.f$x), write) + _3 := _1.val_ref.f$x.val_int + label l0 + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_int() + unfold acc(i32(_2), write) + _4 := _2.val_int + label l1 + // [mir] _5 = CheckedAdd(_3, _4) + _5 := builtin$havoc_ref() + inhale acc(_5.tuple_0, write) + inhale acc(_5.tuple_0.val_int, write) + inhale acc(_5.tuple_1, write) + inhale acc(_5.tuple_1.val_bool, write) + _5.tuple_0.val_int := _3 + _4 + _5.tuple_1.val_bool := false + // [mir] assert(!move (_5.1: bool), "attempt to compute `{} + {}`, which would overflow", move _3, move _4) -> [success: bb1, unwind: bb2] + __t2 := _5.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t2 + // ========== bb1 ========== + __t1 := true + // [mir] ((*_1).0: i32) = move (_5.0: i32) + _1.val_ref.f$x := _5.tuple_0 + label l2 + // [mir] _0 = const () + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l4 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref.f$x), write) + fold acc(struct$m_Point(_1.val_ref), write) + // obtain acc(struct$m_Point(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(struct$m_Point(_old$pre$0), write) in + (unfolding acc(i32(_old$pre$0.f$y), write) in + (unfolding acc(i32(_old$pre$0.f$x), write) in + _old$pre$0.f$x.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$x), write) in + _1.val_ref.f$x.val_int))) + + old[pre]((unfolding acc(i32(_2), write) in _2.val_int)) && + _old$pre$0.f$y.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$y), write) in + _1.val_ref.f$y.val_int)))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Point(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--heap_sort-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--heap_sort-Both.vpr new file mode 100644 index 00000000..fc8bbd9d --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--heap_sort-Both.vpr @@ -0,0 +1,1431 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + + function mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int +} + +domain Snap$struct$m_VecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32 + + function Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) } + Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1), + true] + + +function f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1, + _2), + true] + + +function snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(self: Ref): Snap$struct$m_VecWrapperI32 + requires acc(struct$m_VecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32((unfolding acc(struct$m_VecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate struct$m_VecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) { + true +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_heap_sort() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var __t31: Bool + var __t32: Bool + var _preserve$0: Ref + var __t33: Bool + var __t34: Bool + var __t35: Bool + var __t36: Bool + var __t37: Bool + var __t38: Bool + var __t39: Bool + var __t40: Bool + var __t41: Bool + var __t42: Bool + var _preserve$1: Ref + var __t43: Bool + var __t44: Bool + var __t45: Bool + var __t46: Bool + var __t47: Bool + var __t48: Bool + var __t49: Bool + var __t50: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Ref + var _4: Ref + var _5: Int + var _6: Ref + var _7: Ref + var _8: Int + var _11: Ref + var _13: Ref + var _18: Ref + var _23: Ref + var _26: Ref + var _27: Ref + var _28: Ref + var _29: Int + var _30: Ref + var _31: Int + var _32: Ref + var _33: Int + var _37: Ref + var _38: Ref + var _39: Int + var _40: Ref + var _42: Ref + var _47: Ref + var _52: Ref + var _55: Ref + var _56: Int + var _57: Ref + var _58: Ref + var _59: Int + var _60: Int + var _61: Ref + var _62: Ref + var _63: Int + var _64: Ref + var _65: Int + var _66: Ref + var _67: Int + + label start + // ========== start ========== + // Def path: "Heapsort::heap_sort" + // Span: tests/verify/pass/rosetta/Heapsort.rs:108:1: 136:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + __t21 := false + __t22 := false + __t23 := false + __t24 := false + __t25 := false + __t26 := false + __t27 := false + __t28 := false + __t29 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(struct$m_VecWrapperI32(_1.val_ref), write) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] StorageLive(_3) + // [mir] _3 = &(*_1) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + _3.val_ref := _1.val_ref + exhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + inhale acc(struct$m_VecWrapperI32(_3.val_ref), read$()) + label l0 + // [mir] _2 = VecWrapperI32::len(move _3) -> [return: bb1, unwind: bb36] + label l1 + _2 := builtin$havoc_int() + inhale _2 >= 0 + inhale _2 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_3.val_ref)) + // transfer perm _3.val_ref --> old[l1](_3.val_ref) // unchecked: false + // ========== l2 ========== + // MIR edge bb0 --> bb1 + // Expire borrows + // expire_borrows ReborrowingDAG(L19,L0,) + + if (__t0 && __t0) { + // expire loan L0 + // transfer perm old[l1](_3.val_ref) --> old[l0](_3.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l0](_3.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + } + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_3) + // [mir] FakeRead(ForLet(None), _2) + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] _5 = _2 + _5 := builtin$havoc_int() + inhale _2 >= 0 + _5 := _2 + label l3 + // [mir] _6 = Eq(const 2_usize, const 0_usize) + _6 := builtin$havoc_ref() + inhale acc(_6.val_bool, write) + _6.val_bool := false + // [mir] assert(!move _6, "attempt to divide `{}` by zero", _5) -> [success: bb2, unwind: bb36] + __t30 := _6.val_bool + // Rust assertion: attempt to divide by zero + assert !__t30 + // ========== bb2 ========== + __t2 := true + // [mir] _4 = Div(move _5, const 2_usize) + _4 := builtin$havoc_ref() + inhale acc(_4.val_int, write) + _4.val_int := _5 / 2 + // [mir] StorageDead(_5) + // [mir] FakeRead(ForLet(None), _4) + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] _8 = _4 + _8 := builtin$havoc_int() + _8 := _4.val_int + label l4 + // [mir] _7 = Gt(move _8, const 0_usize) + _7 := builtin$havoc_ref() + inhale acc(_7.val_bool, write) + _7.val_bool := _8 > 0 + // [mir] StorageDead(_8) + // [mir] FakeRead(ForLet(None), _7) + // [mir] StorageLive(_9) + // [mir] goto -> bb3 + // ========== loop3_start ========== + // ========== loop3_group1_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb36] + // ========== loop3_group1_bb4 ========== + __t4 := true + // [mir] StorageLive(_11) + // [mir] _11 = _7 + _11 := builtin$havoc_ref() + inhale acc(_11.val_bool, write) + _11.val_bool := _7.val_bool + label l5 + // [mir] switchInt(move _11) -> [0: bb18, otherwise: bb5] + __t31 := _11.val_bool + if (__t31) { + goto bb0 + } + goto return + + label bb0 + // ========== l7 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group2_bb5 ========== + __t5 := true + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = const false + _13 := builtin$havoc_ref() + inhale acc(_13.val_bool, write) + _13.val_bool := false + // [mir] switchInt(move _13) -> [0: bb7, otherwise: bb6] + __t32 := _13.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb3) + _preserve$0 := _1.val_ref + fold acc(usize(_4), write) + // obtain acc(usize(_4), write) + fold acc(bool(_7), write) + // obtain acc(bool(_7), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert _2 >= 0 + // obtain (_2) >= (0) + assert _2 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_4), write) in _4.val_int) <= _2 / 2 && + (unfolding acc(usize(_4), write) in _4.val_int) > 0) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_4), write) && + (acc(bool(_7), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _2 >= 0))) + _11 := builtin$havoc_ref() + _13 := builtin$havoc_ref() + _18 := builtin$havoc_ref() + _23 := builtin$havoc_ref() + _26 := builtin$havoc_ref() + _27 := builtin$havoc_ref() + _28 := builtin$havoc_ref() + _29 := builtin$havoc_int() + _30 := builtin$havoc_ref() + _31 := builtin$havoc_int() + _32 := builtin$havoc_ref() + _33 := builtin$havoc_int() + _4 := builtin$havoc_ref() + __t10 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t33 := builtin$havoc_bool() + __t34 := builtin$havoc_bool() + __t35 := builtin$havoc_bool() + __t36 := builtin$havoc_bool() + __t37 := builtin$havoc_bool() + __t38 := builtin$havoc_bool() + __t39 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t40 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + // ========== loop3_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb3 + inhale acc(usize(_4), write) && + (acc(bool(_7), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _2 >= 0))) + inhale _preserve$0 == _1.val_ref + inhale true + // ========== loop3_group2a_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb36] + // ========== loop3_group2a_bb4 ========== + __t4 := true + // [mir] StorageLive(_11) + // [mir] _11 = _7 + _11 := builtin$havoc_ref() + inhale acc(_11.val_bool, write) + unfold acc(bool(_7), write) + _11.val_bool := _7.val_bool + label l8 + // [mir] switchInt(move _11) -> [0: bb18, otherwise: bb5] + __t33 := _11.val_bool + if (__t33) { + goto bb1 + } + goto l2 + + label bb1 + // ========== l10 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group2b_bb5 ========== + __t5 := true + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = const false + _13 := builtin$havoc_ref() + inhale acc(_13.val_bool, write) + _13.val_bool := false + // [mir] switchInt(move _13) -> [0: bb7, otherwise: bb6] + __t34 := _13.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb3 + inhale _2 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_4), write) in _4.val_int) <= _2 / 2 && + (unfolding acc(usize(_4), write) in _4.val_int) > 0) + // ========== loop3_group3_bb7 ========== + __t6 := true + // [mir] _12 = const () + // [mir] goto -> bb8 + // ========== loop3_group3_bb8 ========== + __t7 := true + // [mir] StorageDead(_13) + // [mir] StorageDead(_12) + // [mir] StorageLive(_17) + // [mir] StorageLive(_18) + // [mir] _18 = const false + _18 := builtin$havoc_ref() + inhale acc(_18.val_bool, write) + _18.val_bool := false + // [mir] switchInt(move _18) -> [0: bb10, otherwise: bb9] + __t35 := _18.val_bool + // Ignore default target bb9, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_group3_bb10 ========== + __t8 := true + // [mir] _17 = const () + // [mir] goto -> bb11 + // ========== loop3_group3_bb11 ========== + __t9 := true + // [mir] StorageDead(_18) + // [mir] StorageDead(_17) + // [mir] StorageLive(_22) + // [mir] StorageLive(_23) + // [mir] _23 = const false + _23 := builtin$havoc_ref() + inhale acc(_23.val_bool, write) + _23.val_bool := false + // [mir] switchInt(move _23) -> [0: bb13, otherwise: bb12] + __t36 := _23.val_bool + // Ignore default target bb12, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_group3_bb13 ========== + __t10 := true + // [mir] _22 = const () + // [mir] goto -> bb14 + // ========== loop3_group3_bb14 ========== + __t11 := true + // [mir] StorageDead(_23) + // [mir] StorageDead(_22) + // [mir] _26 = CheckedSub(_4, const 1_usize) + _26 := builtin$havoc_ref() + inhale acc(_26.tuple_0, write) + inhale acc(_26.tuple_0.val_int, write) + inhale acc(_26.tuple_1, write) + inhale acc(_26.tuple_1.val_bool, write) + unfold acc(usize(_4), write) + _26.tuple_0.val_int := _4.val_int - 1 + _26.tuple_1.val_bool := false + // [mir] assert(!move (_26.1: bool), "attempt to compute `{} - {}`, which would overflow", _4, const 1_usize) -> [success: bb15, unwind: bb36] + __t37 := _26.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t37 + // ========== loop3_group3_bb15 ========== + __t12 := true + // [mir] _4 = move (_26.0: usize) + _4 := _26.tuple_0 + label l11 + // [mir] StorageLive(_27) + // [mir] StorageLive(_28) + // [mir] _28 = &mut (*_1) + _28 := builtin$havoc_ref() + inhale acc(_28.val_ref, write) + _28.val_ref := _1.val_ref + label l12 + // [mir] StorageLive(_29) + // [mir] _29 = _4 + _29 := builtin$havoc_int() + _29 := _4.val_int + label l13 + // [mir] StorageLive(_30) + // [mir] StorageLive(_31) + // [mir] _31 = _2 + _31 := builtin$havoc_int() + inhale _2 >= 0 + _31 := _2 + label l14 + // [mir] _32 = CheckedSub(_31, const 1_usize) + _32 := builtin$havoc_ref() + inhale acc(_32.tuple_0, write) + inhale acc(_32.tuple_0.val_int, write) + inhale acc(_32.tuple_1, write) + inhale acc(_32.tuple_1.val_bool, write) + _32.tuple_0.val_int := _31 - 1 + _32.tuple_1.val_bool := false + // [mir] assert(!move (_32.1: bool), "attempt to compute `{} - {}`, which would overflow", move _31, const 1_usize) -> [success: bb16, unwind: bb36] + __t38 := _32.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t38 + // ========== loop3_group3_bb16 ========== + __t13 := true + // [mir] _30 = move (_32.0: usize) + _30 := _32.tuple_0 + label l15 + // [mir] StorageDead(_31) + // [mir] _27 = shift_down(move _28, move _29, move _30) -> [return: bb17, unwind: bb36] + label l16 + assert _30.val_int < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_28.val_ref)) && + (0 <= _29 && + _29 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_28.val_ref)) && + (0 <= _30.val_int && + _30.val_int < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_28.val_ref)))) + assert true + assert _29 >= 0 + fold acc(usize(_30), write) + exhale acc(_28.val_ref, write) && + (acc(struct$m_VecWrapperI32(_28.val_ref), write) && + (_29 >= 0 && acc(usize(_30), write))) + _27 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l16](_28.val_ref)), write) + inhale acc(tuple0$(_27), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l16](_28.val_ref))) == + old[l16](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_28.val_ref))) + label l17 + // ========== l18 ========== + // MIR edge bb16 --> bb17 + // Expire borrows + // expire_borrows ReborrowingDAG(L17,L6,) + + // ========== loop3_group3_bb17 ========== + __t14 := true + // [mir] StorageDead(_30) + // [mir] StorageDead(_29) + // [mir] StorageDead(_28) + // [mir] StorageDead(_27) + // [mir] StorageLive(_33) + // [mir] _33 = _4 + _33 := builtin$havoc_int() + _33 := _4.val_int + label l19 + // [mir] _7 = Gt(move _33, const 0_usize) + _7.val_bool := _33 > 0 + // [mir] StorageDead(_33) + // [mir] _10 = const () + // [mir] StorageDead(_11) + // [mir] goto -> bb3 + // ========== loop3_group4_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb36] + // ========== loop3_group4_bb4 ========== + __t4 := true + // [mir] StorageLive(_11) + // [mir] _11 = _7 + _11 := builtin$havoc_ref() + inhale acc(_11.val_bool, write) + _11.val_bool := _7.val_bool + label l20 + // [mir] switchInt(move _11) -> [0: bb18, otherwise: bb5] + __t39 := _11.val_bool + if (__t39) { + goto loop3_inv_post_fnspc + } + goto bb2 + + label bb2 + // ========== l21 ========== + // MIR edge bb4 --> bb18 + // ========== l49 ========== + // drop Acc(_13.val_bool, write) (Acc(_13.val_bool, write)) + // drop Acc(_23.val_bool, write) (Acc(_23.val_bool, write)) + // drop Acc(_31.val_int, write) (Acc(_31.val_int, write)) + // drop Acc(_32.tuple_1.val_bool, write) (Acc(_32.tuple_1.val_bool, write)) + // drop Acc(_26.tuple_1.val_bool, write) (Acc(_26.tuple_1.val_bool, write)) + // drop Acc(_32.tuple_0, write) (Acc(_32.tuple_0, write)) + // drop Acc(_18.val_bool, write) (Acc(_18.val_bool, write)) + // drop Acc(_26.tuple_0, write) (Acc(_26.tuple_0, write)) + // drop Acc(_33.val_int, write) (Acc(_33.val_int, write)) + // drop Pred(_27, write) (Pred(_27, write)) + // drop Acc(_32.tuple_1, write) (Acc(_32.tuple_1, write)) + // drop Acc(_26.tuple_1, write) (Acc(_26.tuple_1, write)) + goto loop3_start + + label l2 + // ========== l9 ========== + // MIR edge bb4 --> bb18 + goto end_of_method + + label l6 + // ========== l29 ========== + // MIR edge bb20 --> bb35 + goto end_of_method + + label l7 + // ========== l30 ========== + // MIR edge bb20 --> bb21 + // ========== loop19_group2b_bb21 ========== + __t18 := true + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] _42 = const false + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := false + // [mir] switchInt(move _42) -> [0: bb23, otherwise: bb22] + __t44 := _42.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop19_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb19 + inhale _2 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_37), write) in _37.val_int) <= _2 && + (unfolding acc(usize(_37), write) in _37.val_int) > 1) + // ========== loop19_group3_bb23 ========== + __t19 := true + // [mir] _41 = const () + // [mir] goto -> bb24 + // ========== loop19_group3_bb24 ========== + __t20 := true + // [mir] StorageDead(_42) + // [mir] StorageDead(_41) + // [mir] StorageLive(_46) + // [mir] StorageLive(_47) + // [mir] _47 = const false + _47 := builtin$havoc_ref() + inhale acc(_47.val_bool, write) + _47.val_bool := false + // [mir] switchInt(move _47) -> [0: bb26, otherwise: bb25] + __t45 := _47.val_bool + // Ignore default target bb25, as it is only used by Prusti to type-check a loop invariant. + // ========== loop19_group3_bb26 ========== + __t21 := true + // [mir] _46 = const () + // [mir] goto -> bb27 + // ========== loop19_group3_bb27 ========== + __t22 := true + // [mir] StorageDead(_47) + // [mir] StorageDead(_46) + // [mir] StorageLive(_51) + // [mir] StorageLive(_52) + // [mir] _52 = const false + _52 := builtin$havoc_ref() + inhale acc(_52.val_bool, write) + _52.val_bool := false + // [mir] switchInt(move _52) -> [0: bb29, otherwise: bb28] + __t46 := _52.val_bool + // Ignore default target bb28, as it is only used by Prusti to type-check a loop invariant. + // ========== loop19_group3_bb29 ========== + __t23 := true + // [mir] _51 = const () + // [mir] goto -> bb30 + // ========== loop19_group3_bb30 ========== + __t24 := true + // [mir] StorageDead(_52) + // [mir] StorageDead(_51) + // [mir] _55 = CheckedSub(_37, const 1_usize) + _55 := builtin$havoc_ref() + inhale acc(_55.tuple_0, write) + inhale acc(_55.tuple_0.val_int, write) + inhale acc(_55.tuple_1, write) + inhale acc(_55.tuple_1.val_bool, write) + unfold acc(usize(_37), write) + _55.tuple_0.val_int := _37.val_int - 1 + _55.tuple_1.val_bool := false + // [mir] assert(!move (_55.1: bool), "attempt to compute `{} - {}`, which would overflow", _37, const 1_usize) -> [success: bb31, unwind: bb36] + __t47 := _55.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t47 + // ========== loop19_group3_bb31 ========== + __t25 := true + // [mir] _37 = move (_55.0: usize) + _37 := _55.tuple_0 + label l31 + // [mir] StorageLive(_56) + // [mir] _56 = const 0_usize + _56 := builtin$havoc_int() + _56 := 0 + // [mir] FakeRead(ForLet(None), _56) + // [mir] StorageLive(_57) + // [mir] StorageLive(_58) + // [mir] _58 = &mut (*_1) + _58 := builtin$havoc_ref() + inhale acc(_58.val_ref, write) + _58.val_ref := _1.val_ref + label l32 + // [mir] StorageLive(_59) + // [mir] _59 = _56 + _59 := builtin$havoc_int() + _59 := _56 + label l33 + // [mir] StorageLive(_60) + // [mir] _60 = _37 + _60 := builtin$havoc_int() + _60 := _37.val_int + label l34 + // [mir] _57 = VecWrapperI32::swap(move _58, move _59, move _60) -> [return: bb32, unwind: bb36] + label l35 + assert 0 <= _59 && + _59 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_58.val_ref)) && + (0 <= _60 && + _60 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_58.val_ref))) + assert true + assert _59 >= 0 + assert _60 >= 0 + exhale acc(_58.val_ref, write) && + (acc(struct$m_VecWrapperI32(_58.val_ref), write) && + (_59 >= 0 && _60 >= 0)) + _57 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l35](_58.val_ref)), write) + inhale acc(tuple0$(_57), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_58.val_ref))) == + old[l35](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_58.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_58.val_ref)), + old[l35](_59)) == + old[l35](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_58.val_ref), + _60)) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_58.val_ref)), + old[l35](_60)) == + old[l35](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_58.val_ref), + _59)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_58.val_ref)))) || + (_0_quant_0 == old[l35](_59) || + (!(_0_quant_0 == old[l35](_60)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l35](_58.val_ref)), + _0_quant_0) == + old[l35](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_58.val_ref), + _0_quant_0)))))))) + label l36 + // ========== l37 ========== + // MIR edge bb31 --> bb32 + // Expire borrows + // expire_borrows ReborrowingDAG(L20,L12,) + + // ========== loop19_group3_bb32 ========== + __t26 := true + // [mir] StorageDead(_60) + // [mir] StorageDead(_59) + // [mir] StorageDead(_58) + // [mir] StorageDead(_57) + // [mir] StorageLive(_61) + // [mir] StorageLive(_62) + // [mir] _62 = &mut (*_1) + _62 := builtin$havoc_ref() + inhale acc(_62.val_ref, write) + _62.val_ref := _1.val_ref + label l38 + // [mir] StorageLive(_63) + // [mir] _63 = _56 + _63 := builtin$havoc_int() + _63 := _56 + label l39 + // [mir] StorageLive(_64) + // [mir] StorageLive(_65) + // [mir] _65 = _37 + _65 := builtin$havoc_int() + _65 := _37.val_int + label l40 + // [mir] _66 = CheckedSub(_65, const 1_usize) + _66 := builtin$havoc_ref() + inhale acc(_66.tuple_0, write) + inhale acc(_66.tuple_0.val_int, write) + inhale acc(_66.tuple_1, write) + inhale acc(_66.tuple_1.val_bool, write) + _66.tuple_0.val_int := _65 - 1 + _66.tuple_1.val_bool := false + // [mir] assert(!move (_66.1: bool), "attempt to compute `{} - {}`, which would overflow", move _65, const 1_usize) -> [success: bb33, unwind: bb36] + __t48 := _66.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t48 + // ========== loop19_group3_bb33 ========== + __t27 := true + // [mir] _64 = move (_66.0: usize) + _64 := _66.tuple_0 + label l41 + // [mir] StorageDead(_65) + // [mir] _61 = shift_down(move _62, move _63, move _64) -> [return: bb34, unwind: bb36] + label l42 + assert _64.val_int < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_62.val_ref)) && + (0 <= _63 && + _63 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_62.val_ref)) && + (0 <= _64.val_int && + _64.val_int < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_62.val_ref)))) + assert true + assert _63 >= 0 + fold acc(usize(_64), write) + exhale acc(_62.val_ref, write) && + (acc(struct$m_VecWrapperI32(_62.val_ref), write) && + (_63 >= 0 && acc(usize(_64), write))) + _61 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l42](_62.val_ref)), write) + inhale acc(tuple0$(_61), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_62.val_ref))) == + old[l42](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_62.val_ref))) + label l43 + // ========== l44 ========== + // MIR edge bb33 --> bb34 + // Expire borrows + // expire_borrows ReborrowingDAG(L18,L13,) + + // ========== loop19_group3_bb34 ========== + __t28 := true + // [mir] StorageDead(_64) + // [mir] StorageDead(_63) + // [mir] StorageDead(_62) + // [mir] StorageDead(_61) + // [mir] StorageLive(_67) + // [mir] _67 = _37 + _67 := builtin$havoc_int() + _67 := _37.val_int + label l45 + // [mir] _38 = Gt(move _67, const 1_usize) + _38.val_bool := _67 > 1 + // [mir] StorageDead(_67) + // [mir] _10 = const () + // [mir] StorageDead(_56) + // [mir] StorageDead(_40) + // [mir] goto -> bb19 + // ========== loop19_group4_bb19 ========== + // This is a loop head + __t16 := true + // [mir] falseUnwind -> [real: bb20, unwind: bb36] + // ========== loop19_group4_bb20 ========== + __t17 := true + // [mir] StorageLive(_40) + // [mir] _40 = _38 + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + _40.val_bool := _38.val_bool + label l46 + // [mir] switchInt(move _40) -> [0: bb35, otherwise: bb21] + __t49 := _40.val_bool + if (__t49) { + goto loop3_inv_post_perm + } + goto loop3_group2_bb5 + + label loop3_group1_bb3 + // ========== l26 ========== + // MIR edge bb20 --> bb35 + goto loop3_inv_pre + + label loop3_group1_bb4 + // ========== l27 ========== + // MIR edge bb20 --> bb21 + // ========== loop19_group2_bb21 ========== + __t18 := true + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] _42 = const false + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := false + // [mir] switchInt(move _42) -> [0: bb23, otherwise: bb22] + __t42 := _42.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop19_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb19) + _preserve$1 := _1.val_ref + fold acc(usize(_37), write) + // obtain acc(usize(_37), write) + fold acc(bool(_38), write) + // obtain acc(bool(_38), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert _2 >= 0 + // obtain (_2) >= (0) + assert _2 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_37), write) in _37.val_int) <= _2 && + (unfolding acc(usize(_37), write) in _37.val_int) > 1) + assert true + assert _preserve$1 == _1.val_ref + exhale acc(usize(_37), write) && + (acc(bool(_38), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _2 >= 0))) + _37 := builtin$havoc_ref() + _40 := builtin$havoc_ref() + _42 := builtin$havoc_ref() + _47 := builtin$havoc_ref() + _52 := builtin$havoc_ref() + _55 := builtin$havoc_ref() + _56 := builtin$havoc_int() + _57 := builtin$havoc_ref() + _58 := builtin$havoc_ref() + _59 := builtin$havoc_int() + _60 := builtin$havoc_int() + _61 := builtin$havoc_ref() + _62 := builtin$havoc_ref() + _63 := builtin$havoc_int() + _64 := builtin$havoc_ref() + _65 := builtin$havoc_int() + _66 := builtin$havoc_ref() + _67 := builtin$havoc_int() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t19 := builtin$havoc_bool() + __t20 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t43 := builtin$havoc_bool() + __t44 := builtin$havoc_bool() + __t45 := builtin$havoc_bool() + __t46 := builtin$havoc_bool() + __t47 := builtin$havoc_bool() + __t48 := builtin$havoc_bool() + __t49 := builtin$havoc_bool() + __t50 := builtin$havoc_bool() + // ========== loop19_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb19 + inhale acc(usize(_37), write) && + (acc(bool(_38), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _2 >= 0))) + inhale _preserve$1 == _1.val_ref + inhale true + // ========== loop19_group2a_bb19 ========== + // This is a loop head + __t16 := true + // [mir] falseUnwind -> [real: bb20, unwind: bb36] + // ========== loop19_group2a_bb20 ========== + __t17 := true + // [mir] StorageLive(_40) + // [mir] _40 = _38 + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + unfold acc(bool(_38), write) + _40.val_bool := _38.val_bool + label l28 + // [mir] switchInt(move _40) -> [0: bb35, otherwise: bb21] + __t43 := _40.val_bool + if (__t43) { + goto l7 + } + goto l6 + + label loop3_group2_bb5 + // ========== l47 ========== + // MIR edge bb20 --> bb35 + // ========== l51 ========== + // drop Acc(_65.val_int, write) (Acc(_65.val_int, write)) + // drop Acc(_66.tuple_1.val_bool, write) (Acc(_66.tuple_1.val_bool, write)) + // drop Acc(_66.tuple_0, write) (Acc(_66.tuple_0, write)) + // drop Acc(_56.val_int, write) (Acc(_56.val_int, write)) + // drop Acc(_55.tuple_0, write) (Acc(_55.tuple_0, write)) + // drop Acc(_67.val_int, write) (Acc(_67.val_int, write)) + // drop Acc(_52.val_bool, write) (Acc(_52.val_bool, write)) + // drop Acc(_55.tuple_1.val_bool, write) (Acc(_55.tuple_1.val_bool, write)) + // drop Acc(_42.val_bool, write) (Acc(_42.val_bool, write)) + // drop Acc(_47.val_bool, write) (Acc(_47.val_bool, write)) + inhale _2 >= 0 + // drop Pred(_57, write) (Pred(_57, write)) + // drop Pred(_61, write) (Pred(_61, write)) + // drop Acc(_66.tuple_1, write) (Acc(_66.tuple_1, write)) + // drop Acc(_55.tuple_1, write) (Acc(_55.tuple_1, write)) + goto loop3_inv_pre + + label loop3_inv_post_fnspc + // ========== l22 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group5_bb5 ========== + __t5 := true + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = const false + _13 := builtin$havoc_ref() + inhale acc(_13.val_bool, write) + _13.val_bool := false + // [mir] switchInt(move _13) -> [0: bb7, otherwise: bb6] + __t40 := _13.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb3) + fold acc(usize(_4), write) + // obtain acc(usize(_4), write) + fold acc(bool(_7), write) + // obtain acc(bool(_7), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert _2 >= 0 + // obtain (_2) >= (0) + assert _2 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_4), write) in _4.val_int) <= _2 / 2 && + (unfolding acc(usize(_4), write) in _4.val_int) > 0) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_4), write) && + (acc(bool(_7), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _2 >= 0))) + inhale false + goto end_of_method + + label loop3_inv_post_perm + // ========== l48 ========== + // MIR edge bb20 --> bb21 + // ========== loop19_group5_bb21 ========== + __t18 := true + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] _42 = const false + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := false + // [mir] switchInt(move _42) -> [0: bb23, otherwise: bb22] + __t50 := _42.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop19_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb19) + fold acc(usize(_37), write) + // obtain acc(usize(_37), write) + fold acc(bool(_38), write) + // obtain acc(bool(_38), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + // obtain (_2) >= (0) + assert _2 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + ((unfolding acc(usize(_37), write) in _37.val_int) <= _2 && + (unfolding acc(usize(_37), write) in _37.val_int) > 1) + assert true + assert _preserve$1 == _1.val_ref + exhale acc(usize(_37), write) && + (acc(bool(_38), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _2 >= 0))) + inhale false + goto end_of_method + + label loop3_inv_pre + // ========== bb35 ========== + __t29 := true + // [mir] StorageLive(_69) + // [mir] _0 = const () + // [mir] StorageDead(_69) + // [mir] StorageDead(_40) + // [mir] StorageDead(_38) + // [mir] StorageDead(_37) + // [mir] StorageDead(_7) + // [mir] StorageDead(_4) + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l50 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_VecWrapperI32(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label loop3_start + // ========== bb18 ========== + __t15 := true + // [mir] StorageLive(_35) + // [mir] _9 = const () + // [mir] StorageDead(_35) + // [mir] StorageDead(_11) + // [mir] StorageDead(_9) + // [mir] StorageLive(_37) + // [mir] _37 = _2 + _37 := builtin$havoc_ref() + inhale acc(_37.val_int, write) + _37.val_int := _2 + label l23 + // [mir] FakeRead(ForLet(None), _37) + // [mir] StorageLive(_38) + // [mir] StorageLive(_39) + // [mir] _39 = _37 + _39 := builtin$havoc_int() + _39 := _37.val_int + label l24 + // [mir] _38 = Gt(move _39, const 1_usize) + _38 := builtin$havoc_ref() + inhale acc(_38.val_bool, write) + _38.val_bool := _39 > 1 + // [mir] StorageDead(_39) + // [mir] FakeRead(ForLet(None), _38) + // [mir] goto -> bb19 + // ========== loop19_start ========== + // ========== loop19_group1_bb19 ========== + // This is a loop head + __t16 := true + // [mir] falseUnwind -> [real: bb20, unwind: bb36] + // ========== loop19_group1_bb20 ========== + __t17 := true + // [mir] StorageLive(_40) + // [mir] _40 = _38 + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + _40.val_bool := _38.val_bool + label l25 + // [mir] switchInt(move _40) -> [0: bb35, otherwise: bb21] + __t41 := _40.val_bool + if (__t41) { + goto loop3_group1_bb4 + } + goto loop3_group1_bb3 + + label return + // ========== l6 ========== + // MIR edge bb4 --> bb18 + goto loop3_start + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--main-Both.vpr new file mode 100644 index 00000000..1da878a8 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--main-Both.vpr @@ -0,0 +1,292 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + + label start + // ========== start ========== + // Def path: "Heapsort::main" + // Span: tests/verify/pass/rosetta/Heapsort.rs:92:1: 105:2 (#0) + __t0 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l1 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--order-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--order-Both.vpr new file mode 100644 index 00000000..24c00029 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--order-Both.vpr @@ -0,0 +1,321 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field val_bool: Bool + +field val_int: Int + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +method m_order() returns (_0: Ref) +{ + var __t0: Bool + var _1: Ref + var _2: Ref + var _3: Int + var _4: Int + + label start + // ========== start ========== + // Def path: "Heapsort::order" + // Span: tests/verify/pass/rosetta/Heapsort.rs:88:1: 90:2 (#0) + __t0 := false + // Preconditions: + inhale acc(i32(_1), write) && acc(i32(_2), write) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] _3 = _1 + _3 := builtin$havoc_int() + unfold acc(i32(_1), write) + _3 := _1.val_int + label l0 + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_int() + unfold acc(i32(_2), write) + _4 := _2.val_int + label l1 + // [mir] _0 = Lt(move _3, move _4) + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := _3 < _4 + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l3 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(bool(_0), write) + // obtain acc(bool(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(bool(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--shift_down-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--shift_down-Both.vpr new file mode 100644 index 00000000..6ed999b7 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/heapsort.rs/tests_verify_pass_rosetta_Heapsort_Heapsort.rs_Heapsort--shift_down-Both.vpr @@ -0,0 +1,1633 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + + function mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + + function mirror_simple$f_order__$TY$__$int$$$int$$$bool$(_1: Int, _2: Int): Bool +} + +domain Snap$struct$m_VecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32 + + function Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) } + Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1), + true] + + +function f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1, + _2), + true] + + +function f_order__$TY$__$int$$$int$$$bool$(_1: Int, _2: Int): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_order__$TY$__$int$$$int$$$bool$(_1, _2), + true] +{ + _1 < _2 +} + +function snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(self: Ref): Snap$struct$m_VecWrapperI32 + requires acc(struct$m_VecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32((unfolding acc(struct$m_VecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_VecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) { + true +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_shift_down() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var __t31: Bool + var __t32: Bool + var __t33: Bool + var __t34: Bool + var __t35: Bool + var __t36: Bool + var _preserve$0: Ref + var __t37: Bool + var __t38: Bool + var __t39: Bool + var __t40: Bool + var __t41: Bool + var __t42: Bool + var __t43: Bool + var __t44: Bool + var __t45: Bool + var _old$l22$0: Ref + var __t46: Bool + var _old$l28$0: Ref + var __t47: Bool + var __t48: Bool + var _old$l38$0: Ref + var _old$l43$0: Ref + var __t49: Bool + var __t50: Bool + var __t51: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Int + var _4: Ref + var _5: Ref + var _7: Ref + var _9: Ref + var _14: Ref + var _19: Ref + var _22: Ref + var _23: Ref + var _24: Int + var _25: Ref + var _26: Ref + var _27: Ref + var _28: Int + var _29: Int + var _31: Ref + var _32: Ref + var _33: Ref + var _34: Int + var _35: Ref + var _36: Int + var _37: Ref + var _38: Int + var _39: Ref + var _40: Ref + var _41: Int + var _42: Int + var _43: Ref + var _44: Ref + var _45: Ref + var _46: Int + var _47: Ref + var _48: Ref + var _49: Ref + var _50: Int + var _51: Ref + var _52: Ref + var _53: Int + var _54: Int + var _55: Ref + var _56: Ref + var _57: Int + var _58: Ref + var _59: Ref + var _60: Int + var _61: Int + var _62: Ref + + label start + // ========== start ========== + // Def path: "Heapsort::shift_down" + // Span: tests/verify/pass/rosetta/Heapsort.rs:142:1: 165:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + __t21 := false + __t22 := false + __t23 := false + __t24 := false + __t25 := false + __t26 := false + __t27 := false + __t28 := false + __t29 := false + __t30 := false + __t31 := false + __t32 := false + __t33 := false + __t34 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && (_2 >= 0 && _3 >= 0)) + inhale true + inhale _3 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + (0 <= _2 && + _2 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + (0 <= _3 && + _3 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)))) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_ref() + inhale acc(_4.val_int, write) + inhale _2 >= 0 + _4.val_int := _2 + label l0 + // [mir] FakeRead(ForLet(None), _4) + // [mir] StorageLive(_5) + // [mir] _5 = const true + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := true + // [mir] FakeRead(ForLet(None), _5) + // [mir] goto -> bb1 + // ========== loop1_start ========== + // ========== loop1_group1_bb1 ========== + // This is a loop head + __t1 := true + // [mir] falseUnwind -> [real: bb2, unwind: bb38] + // ========== loop1_group1_bb2 ========== + __t2 := true + // [mir] StorageLive(_7) + // [mir] _7 = _5 + _7 := builtin$havoc_ref() + inhale acc(_7.val_bool, write) + _7.val_bool := _5.val_bool + label l1 + // [mir] switchInt(move _7) -> [0: bb37, otherwise: bb3] + __t35 := _7.val_bool + if (__t35) { + goto bb0 + } + goto return + + label bb0 + // ========== l3 ========== + // MIR edge bb2 --> bb3 + // ========== loop1_group2_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = const false + _9 := builtin$havoc_ref() + inhale acc(_9.val_bool, write) + _9.val_bool := false + // [mir] switchInt(move _9) -> [0: bb5, otherwise: bb4] + __t36 := _9.val_bool + // Ignore default target bb4, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb1) + _preserve$0 := _1.val_ref + fold acc(bool(_5), write) + // obtain acc(bool(_5), write) + fold acc(usize(_4), write) + // obtain acc(usize(_4), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + // obtain (_3) >= (0) + assert 0 <= (unfolding acc(usize(_4), write) in _4.val_int) && + (unfolding acc(usize(_4), write) in _4.val_int) < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + (0 <= _3 && + _3 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(bool(_5), write) && + (acc(usize(_4), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _3 >= 0))) + _14 := builtin$havoc_ref() + _19 := builtin$havoc_ref() + _22 := builtin$havoc_ref() + _23 := builtin$havoc_ref() + _24 := builtin$havoc_int() + _25 := builtin$havoc_ref() + _26 := builtin$havoc_ref() + _27 := builtin$havoc_ref() + _28 := builtin$havoc_int() + _29 := builtin$havoc_int() + _31 := builtin$havoc_ref() + _32 := builtin$havoc_ref() + _33 := builtin$havoc_ref() + _34 := builtin$havoc_int() + _35 := builtin$havoc_ref() + _36 := builtin$havoc_int() + _37 := builtin$havoc_ref() + _38 := builtin$havoc_int() + _39 := builtin$havoc_ref() + _4 := builtin$havoc_ref() + _40 := builtin$havoc_ref() + _41 := builtin$havoc_int() + _42 := builtin$havoc_int() + _43 := builtin$havoc_ref() + _44 := builtin$havoc_ref() + _45 := builtin$havoc_ref() + _46 := builtin$havoc_int() + _47 := builtin$havoc_ref() + _48 := builtin$havoc_ref() + _49 := builtin$havoc_ref() + _50 := builtin$havoc_int() + _51 := builtin$havoc_ref() + _52 := builtin$havoc_ref() + _53 := builtin$havoc_int() + _54 := builtin$havoc_int() + _55 := builtin$havoc_ref() + _56 := builtin$havoc_ref() + _57 := builtin$havoc_int() + _58 := builtin$havoc_ref() + _59 := builtin$havoc_ref() + _60 := builtin$havoc_int() + _61 := builtin$havoc_int() + _62 := builtin$havoc_ref() + _7 := builtin$havoc_ref() + _9 := builtin$havoc_ref() + __t1 := builtin$havoc_bool() + __t10 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t19 := builtin$havoc_bool() + __t2 := builtin$havoc_bool() + __t20 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t31 := builtin$havoc_bool() + __t32 := builtin$havoc_bool() + __t33 := builtin$havoc_bool() + __t37 := builtin$havoc_bool() + __t38 := builtin$havoc_bool() + __t39 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t40 := builtin$havoc_bool() + __t41 := builtin$havoc_bool() + __t42 := builtin$havoc_bool() + __t43 := builtin$havoc_bool() + __t44 := builtin$havoc_bool() + __t45 := builtin$havoc_bool() + __t46 := builtin$havoc_bool() + __t47 := builtin$havoc_bool() + __t48 := builtin$havoc_bool() + __t49 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t50 := builtin$havoc_bool() + __t51 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + // ========== loop1_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb1 + inhale acc(bool(_5), write) && + (acc(usize(_4), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _3 >= 0))) + inhale _preserve$0 == _1.val_ref + inhale true + // ========== loop1_group2a_bb1 ========== + // This is a loop head + __t1 := true + // [mir] falseUnwind -> [real: bb2, unwind: bb38] + // ========== loop1_group2a_bb2 ========== + __t2 := true + // [mir] StorageLive(_7) + // [mir] _7 = _5 + _7 := builtin$havoc_ref() + inhale acc(_7.val_bool, write) + unfold acc(bool(_5), write) + _7.val_bool := _5.val_bool + label l4 + // [mir] switchInt(move _7) -> [0: bb37, otherwise: bb3] + __t37 := _7.val_bool + if (__t37) { + goto loop1_group1_bb1 + } + goto loop1_start + + label l2 + // ========== l17 ========== + // MIR edge bb20 --> bb18 + // ========== loop1_group3_bb18 ========== + __t15 := true + // [mir] StorageLive(_37) + // [mir] StorageLive(_38) + // [mir] StorageLive(_39) + // [mir] StorageLive(_40) + // [mir] _40 = &mut (*_1) + _40 := builtin$havoc_ref() + inhale acc(_40.val_ref, write) + _40.val_ref := _1.val_ref + label l19 + // [mir] StorageLive(_41) + // [mir] _41 = _22 + _41 := builtin$havoc_int() + _41 := _22.val_int + label l20 + // [mir] _39 = VecWrapperI32::borrow(move _40, move _41) -> [return: bb21, unwind: bb38] + label l21 + assert 0 <= _41 && + _41 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_40.val_ref)) + assert true + assert _41 >= 0 + exhale acc(_40.val_ref, write) && + (acc(struct$m_VecWrapperI32(_40.val_ref), write) && _41 >= 0) + _39 := builtin$havoc_ref() + inhale acc(_39.val_ref, write) && acc(i32(_39.val_ref), write) + inhale true + label l22 + // ========== loop1_group3_bb21 ========== + __t16 := true + // [mir] StorageDead(_41) + // [mir] StorageDead(_40) + // [mir] _38 = (*_39) + _38 := builtin$havoc_int() + unfold acc(i32(_39.val_ref), write) + _38 := _39.val_ref.val_int + label l23 + // expire_borrows ReborrowingDAG(L13,L14,L5,) + + if (__t15) { + // expire loan L13 + _old$l22$0 := _39.val_ref + inhale acc(DeadBorrowToken$(13), write) && acc(i32(_old$l22$0), write) --* + acc(struct$m_VecWrapperI32(old[l21](_40.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref))) == + old[l21](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_40.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref)), + old[l21](_41)) == + old[lhs]((unfolding acc(i32(_old$l22$0), write) in + _old$l22$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref)))) || + (!(_0_quant_0 == old[l21](_41)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref)), + _0_quant_0) == + old[l21](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_40.val_ref), + _0_quant_0))))))) + fold acc(i32(_old$l22$0), write) + inhale acc(DeadBorrowToken$(13), write) + apply acc(DeadBorrowToken$(13), write) && acc(i32(_old$l22$0), write) --* + acc(struct$m_VecWrapperI32(old[l21](_40.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref))) == + old[l21](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_40.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref)), + old[l21](_41)) == + old[lhs]((unfolding acc(i32(_old$l22$0), write) in + _old$l22$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref)))) || + (!(_0_quant_0 == old[l21](_41)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l21](_40.val_ref)), + _0_quant_0) == + old[l21](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_40.val_ref), + _0_quant_0))))))) + } + // [mir] StorageLive(_42) + // [mir] StorageLive(_43) + // [mir] StorageLive(_44) + // [mir] _44 = &mut (*_1) + _44 := builtin$havoc_ref() + inhale acc(_44.val_ref, write) + _44.val_ref := _1.val_ref + label l24 + // [mir] StorageLive(_45) + // [mir] StorageLive(_46) + // [mir] _46 = _22 + _46 := builtin$havoc_int() + _46 := _22.val_int + label l25 + // [mir] _47 = CheckedAdd(_46, const 1_usize) + _47 := builtin$havoc_ref() + inhale acc(_47.tuple_0, write) + inhale acc(_47.tuple_0.val_int, write) + inhale acc(_47.tuple_1, write) + inhale acc(_47.tuple_1.val_bool, write) + _47.tuple_0.val_int := _46 + 1 + _47.tuple_1.val_bool := false + // [mir] assert(!move (_47.1: bool), "attempt to compute `{} + {}`, which would overflow", move _46, const 1_usize) -> [success: bb22, unwind: bb38] + __t46 := _47.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t46 + // ========== loop1_group3_bb22 ========== + __t17 := true + // [mir] _45 = move (_47.0: usize) + _45 := _47.tuple_0 + label l26 + // [mir] StorageDead(_46) + // [mir] _43 = VecWrapperI32::borrow(move _44, move _45) -> [return: bb23, unwind: bb38] + label l27 + assert 0 <= _45.val_int && + _45.val_int < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_44.val_ref)) + assert true + fold acc(usize(_45), write) + exhale acc(_44.val_ref, write) && + (acc(struct$m_VecWrapperI32(_44.val_ref), write) && + acc(usize(_45), write)) + _43 := builtin$havoc_ref() + inhale acc(_43.val_ref, write) && acc(i32(_43.val_ref), write) + inhale true + label l28 + // ========== loop1_group3_bb23 ========== + __t18 := true + // [mir] StorageDead(_45) + // [mir] StorageDead(_44) + // [mir] _42 = (*_43) + _42 := builtin$havoc_int() + unfold acc(i32(_43.val_ref), write) + _42 := _43.val_ref.val_int + label l29 + // expire_borrows ReborrowingDAG(L16,L17,L6,) + + if (__t17) { + // expire loan L16 + _old$l28$0 := _43.val_ref + inhale acc(DeadBorrowToken$(16), write) && acc(i32(_old$l28$0), write) --* + acc(struct$m_VecWrapperI32(old[l27](_44.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref))) == + old[l27](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_44.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref)), + old[l27](_45.val_int)) == + old[lhs]((unfolding acc(i32(_old$l28$0), write) in + _old$l28$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref)))) || + (!(_0_quant_0 == old[l27](_45.val_int)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref)), + _0_quant_0) == + old[l27](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_44.val_ref), + _0_quant_0))))))) + fold acc(i32(_old$l28$0), write) + inhale acc(DeadBorrowToken$(16), write) + apply acc(DeadBorrowToken$(16), write) && acc(i32(_old$l28$0), write) --* + acc(struct$m_VecWrapperI32(old[l27](_44.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref))) == + old[l27](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_44.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref)), + old[l27](_45.val_int)) == + old[lhs]((unfolding acc(i32(_old$l28$0), write) in + _old$l28$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref)))) || + (!(_0_quant_0 == old[l27](_45.val_int)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_44.val_ref)), + _0_quant_0) == + old[l27](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_44.val_ref), + _0_quant_0))))))) + } + // [mir] _37 = order(move _38, move _42) -> [return: bb24, unwind: bb38] + label l30 + _37 := builtin$havoc_ref() + inhale acc(bool(_37), write) + inhale (unfolding acc(bool(_37), write) in _37.val_bool) == + f_order__$TY$__$int$$$int$$$bool$(_38, _42) + // ========== loop1_group3_bb24 ========== + __t19 := true + // [mir] StorageDead(_43) + // [mir] StorageDead(_42) + // [mir] StorageDead(_39) + // [mir] StorageDead(_38) + // [mir] _31 = move _37 + _31 := _37 + label l31 + // [mir] goto -> bb19 + // ========== l59 ========== + // drop Acc(_46.val_int, write) (Acc(_46.val_int, write)) + // drop Acc(_42.val_int, write) (Acc(_42.val_int, write)) + // drop Acc(_43.val_ref, write) (Acc(_43.val_ref, write)) + // drop Acc(_39.val_ref, write) (Acc(_39.val_ref, write)) + // drop Acc(_38.val_int, write) (Acc(_38.val_int, write)) + unfold acc(bool(_31), write) + // drop Acc(_47.tuple_1.val_bool, write) (Acc(_47.tuple_1.val_bool, write)) + // drop Acc(_47.tuple_0, write) (Acc(_47.tuple_0, write)) + // drop Acc(_47.tuple_1, write) (Acc(_47.tuple_1, write)) + goto loop1_group2_bb3 + + label l3 + // ========== l18 ========== + // MIR edge bb20 --> bb17 + // ========== loop1_group3_bb17 ========== + __t20 := true + // [mir] _31 = const false + _31 := builtin$havoc_ref() + inhale acc(_31.val_bool, write) + _31.val_bool := false + // [mir] goto -> bb19 + goto loop1_group2_bb3 + + label l5 + // ========== loop1_group3_bb35 ========== + __t32 := true + // [mir] StorageDead(_49) + // [mir] goto -> bb36 + // ========== l63 ========== + // drop Acc(_51.val_ref, write) (Acc(_51.val_ref, write)) + // drop Acc(_35.tuple_1.val_bool, write) (Acc(_35.tuple_1.val_bool, write)) + // drop Acc(_54.val_int, write) (Acc(_54.val_int, write)) + // drop Acc(_49.val_bool, write) (Acc(_49.val_bool, write)) + // drop Acc(_50.val_int, write) (Acc(_50.val_int, write)) + // drop Acc(_31.val_bool, write) (Acc(_31.val_bool, write)) + // drop Acc(_35.tuple_0, write) (Acc(_35.tuple_0, write)) + // drop Acc(_36.val_int, write) (Acc(_36.val_int, write)) + // drop Acc(_34.val_int, write) (Acc(_34.val_int, write)) + // drop Acc(_32.val_bool, write) (Acc(_32.val_bool, write)) + // drop Acc(_33.val_int, write) (Acc(_33.val_int, write)) + // drop Acc(_55.val_ref, write) (Acc(_55.val_ref, write)) + // drop Acc(_35.tuple_1, write) (Acc(_35.tuple_1, write)) + goto loop1_group2b_bb3 + + label l6 + // ========== l13 ========== + // MIR edge bb14 --> bb15 + // ========== loop1_group3_bb15 ========== + __t12 := true + // [mir] _5 = const false + _5.val_bool := false + // [mir] _6 = const () + // [mir] goto -> bb36 + goto loop1_group2b_bb3 + + label loop1_group1_bb1 + // ========== l6 ========== + // MIR edge bb2 --> bb3 + // ========== loop1_group2b_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = const false + _9 := builtin$havoc_ref() + inhale acc(_9.val_bool, write) + _9.val_bool := false + // [mir] switchInt(move _9) -> [0: bb5, otherwise: bb4] + __t38 := _9.val_bool + // Ignore default target bb4, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb1 + inhale 0 <= (unfolding acc(usize(_4), write) in _4.val_int) && + (unfolding acc(usize(_4), write) in _4.val_int) < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + (0 <= _3 && + _3 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)))) + // ========== loop1_group3_bb5 ========== + __t4 := true + // [mir] _8 = const () + // [mir] goto -> bb6 + // ========== loop1_group3_bb6 ========== + __t5 := true + // [mir] StorageDead(_9) + // [mir] StorageDead(_8) + // [mir] StorageLive(_13) + // [mir] StorageLive(_14) + // [mir] _14 = const false + _14 := builtin$havoc_ref() + inhale acc(_14.val_bool, write) + _14.val_bool := false + // [mir] switchInt(move _14) -> [0: bb8, otherwise: bb7] + __t39 := _14.val_bool + // Ignore default target bb7, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_bb8 ========== + __t6 := true + // [mir] _13 = const () + // [mir] goto -> bb9 + // ========== loop1_group3_bb9 ========== + __t7 := true + // [mir] StorageDead(_14) + // [mir] StorageDead(_13) + // [mir] StorageLive(_18) + // [mir] StorageLive(_19) + // [mir] _19 = const false + _19 := builtin$havoc_ref() + inhale acc(_19.val_bool, write) + _19.val_bool := false + // [mir] switchInt(move _19) -> [0: bb11, otherwise: bb10] + __t40 := _19.val_bool + // Ignore default target bb10, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_bb11 ========== + __t8 := true + // [mir] _18 = const () + // [mir] goto -> bb12 + // ========== loop1_group3_bb12 ========== + __t9 := true + // [mir] StorageDead(_19) + // [mir] StorageDead(_18) + // [mir] StorageLive(_22) + // [mir] StorageLive(_23) + // [mir] StorageLive(_24) + // [mir] _24 = _4 + _24 := builtin$havoc_int() + unfold acc(usize(_4), write) + _24 := _4.val_int + label l7 + // [mir] _25 = CheckedMul(_24, const 2_usize) + _25 := builtin$havoc_ref() + inhale acc(_25.tuple_0, write) + inhale acc(_25.tuple_0.val_int, write) + inhale acc(_25.tuple_1, write) + inhale acc(_25.tuple_1.val_bool, write) + _25.tuple_0.val_int := _24 * 2 + _25.tuple_1.val_bool := false + // [mir] assert(!move (_25.1: bool), "attempt to compute `{} * {}`, which would overflow", move _24, const 2_usize) -> [success: bb13, unwind: bb38] + __t41 := _25.tuple_1.val_bool + // Rust assertion: attempt to multiply with overflow + assert !__t41 + // ========== loop1_group3_bb13 ========== + __t10 := true + // [mir] _23 = move (_25.0: usize) + _23 := _25.tuple_0 + label l8 + // [mir] StorageDead(_24) + // [mir] _26 = CheckedAdd(_23, const 1_usize) + _26 := builtin$havoc_ref() + inhale acc(_26.tuple_0, write) + inhale acc(_26.tuple_0.val_int, write) + inhale acc(_26.tuple_1, write) + inhale acc(_26.tuple_1.val_bool, write) + _26.tuple_0.val_int := _23.val_int + 1 + _26.tuple_1.val_bool := false + // [mir] assert(!move (_26.1: bool), "attempt to compute `{} + {}`, which would overflow", move _23, const 1_usize) -> [success: bb14, unwind: bb38] + __t42 := _26.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t42 + // ========== loop1_group3_bb14 ========== + __t11 := true + // [mir] _22 = move (_26.0: usize) + _22 := _26.tuple_0 + label l9 + // [mir] StorageDead(_23) + // [mir] FakeRead(ForLet(None), _22) + // [mir] StorageLive(_27) + // [mir] StorageLive(_28) + // [mir] _28 = _22 + _28 := builtin$havoc_int() + _28 := _22.val_int + label l10 + // [mir] StorageLive(_29) + // [mir] _29 = _3 + _29 := builtin$havoc_int() + inhale _3 >= 0 + _29 := _3 + label l11 + // [mir] _27 = Gt(move _28, move _29) + _27 := builtin$havoc_ref() + inhale acc(_27.val_bool, write) + _27.val_bool := _28 > _29 + // [mir] StorageDead(_29) + // [mir] StorageDead(_28) + // [mir] switchInt(move _27) -> [0: bb16, otherwise: bb15] + __t43 := _27.val_bool + if (__t43) { + goto l6 + } + goto loop1_group1_bb2 + + label loop1_group1_bb2 + // ========== l12 ========== + // MIR edge bb14 --> bb16 + // ========== loop1_group3_bb16 ========== + __t13 := true + // [mir] StorageLive(_30) + // [mir] StorageLive(_31) + // [mir] StorageLive(_32) + // [mir] StorageLive(_33) + // [mir] StorageLive(_34) + // [mir] _34 = _22 + _34 := builtin$havoc_int() + _34 := _22.val_int + label l14 + // [mir] _35 = CheckedAdd(_34, const 1_usize) + _35 := builtin$havoc_ref() + inhale acc(_35.tuple_0, write) + inhale acc(_35.tuple_0.val_int, write) + inhale acc(_35.tuple_1, write) + inhale acc(_35.tuple_1.val_bool, write) + _35.tuple_0.val_int := _34 + 1 + _35.tuple_1.val_bool := false + // [mir] assert(!move (_35.1: bool), "attempt to compute `{} + {}`, which would overflow", move _34, const 1_usize) -> [success: bb20, unwind: bb38] + __t44 := _35.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t44 + // ========== loop1_group3_bb20 ========== + __t14 := true + // [mir] _33 = move (_35.0: usize) + _33 := _35.tuple_0 + label l15 + // [mir] StorageDead(_34) + // [mir] StorageLive(_36) + // [mir] _36 = _3 + _36 := builtin$havoc_int() + _36 := _3 + label l16 + // [mir] _32 = Le(move _33, move _36) + _32 := builtin$havoc_ref() + inhale acc(_32.val_bool, write) + _32.val_bool := _33.val_int <= _36 + // [mir] StorageDead(_36) + // [mir] StorageDead(_33) + // [mir] switchInt(move _32) -> [0: bb17, otherwise: bb18] + __t45 := _32.val_bool + if (!__t45) { + goto l3 + } + goto l2 + + label loop1_group2_bb3 + // ========== loop1_group3_bb19 ========== + __t21 := true + // [mir] StorageDead(_37) + // [mir] StorageDead(_32) + // [mir] switchInt(move _31) -> [0: bb27, otherwise: bb25] + __t47 := _31.val_bool + if (!__t47) { + goto loop1_inv_post_perm + } + goto loop1_inv_pre + + label loop1_group2a_bb1 + // ========== l46 ========== + // MIR edge bb31 --> bb32 + // ========== loop1_group3_bb32 ========== + __t29 := true + // [mir] StorageLive(_58) + // [mir] StorageLive(_59) + // [mir] _59 = &mut (*_1) + _59 := builtin$havoc_ref() + inhale acc(_59.val_ref, write) + _59.val_ref := _1.val_ref + label l48 + // [mir] StorageLive(_60) + // [mir] _60 = _4 + _60 := builtin$havoc_int() + _60 := _4.val_int + label l49 + // [mir] StorageLive(_61) + // [mir] _61 = _22 + _61 := builtin$havoc_int() + _61 := _22.val_int + label l50 + // [mir] _58 = VecWrapperI32::swap(move _59, move _60, move _61) -> [return: bb33, unwind: bb38] + label l51 + assert 0 <= _60 && + _60 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_59.val_ref)) && + (0 <= _61 && + _61 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_59.val_ref))) + assert true + assert _60 >= 0 + assert _61 >= 0 + exhale acc(_59.val_ref, write) && + (acc(struct$m_VecWrapperI32(_59.val_ref), write) && + (_60 >= 0 && _61 >= 0)) + _58 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l51](_59.val_ref)), write) + inhale acc(tuple0$(_58), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l51](_59.val_ref))) == + old[l51](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_59.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l51](_59.val_ref)), + old[l51](_60)) == + old[l51](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_59.val_ref), + _61)) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l51](_59.val_ref)), + old[l51](_61)) == + old[l51](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_59.val_ref), + _60)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l51](_59.val_ref)))) || + (_0_quant_0 == old[l51](_60) || + (!(_0_quant_0 == old[l51](_61)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l51](_59.val_ref)), + _0_quant_0) == + old[l51](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_59.val_ref), + _0_quant_0)))))))) + label l52 + // ========== l53 ========== + // MIR edge bb32 --> bb33 + // Expire borrows + // expire_borrows ReborrowingDAG(L15,L9,) + + // ========== loop1_group3_bb33 ========== + __t30 := true + // [mir] StorageDead(_61) + // [mir] StorageDead(_60) + // [mir] StorageDead(_59) + // [mir] StorageDead(_58) + // [mir] StorageLive(_62) + // [mir] _62 = _22 + _62 := builtin$havoc_ref() + inhale acc(_62.val_int, write) + _62.val_int := _22.val_int + label l54 + // [mir] _4 = move _62 + _4 := _62 + label l55 + // [mir] _6 = const () + // [mir] StorageDead(_62) + // [mir] goto -> bb35 + // ========== l62 ========== + // drop Pred(_58, write) (Pred(_58, write)) + goto l5 + + label loop1_group2a_bb2 + // ========== l47 ========== + // MIR edge bb31 --> bb34 + // ========== loop1_group3_bb34 ========== + __t31 := true + // [mir] _5 = const false + _5.val_bool := false + // [mir] _6 = const () + // [mir] goto -> bb35 + goto l5 + + label loop1_group2b_bb3 + // ========== loop1_group3_bb36 ========== + __t33 := true + // [mir] StorageDead(_27) + // [mir] StorageDead(_22) + // [mir] StorageDead(_7) + // [mir] goto -> bb1 + // ========== loop1_group4_bb1 ========== + // This is a loop head + __t1 := true + // [mir] falseUnwind -> [real: bb2, unwind: bb38] + // ========== loop1_group4_bb2 ========== + __t2 := true + // [mir] StorageLive(_7) + // [mir] _7 = _5 + _7 := builtin$havoc_ref() + inhale acc(_7.val_bool, write) + _7.val_bool := _5.val_bool + label l56 + // [mir] switchInt(move _7) -> [0: bb37, otherwise: bb3] + __t50 := _7.val_bool + if (__t50) { + goto loop1_group3_bb8 + } + goto loop1_group3_bb5 + + label loop1_group3_bb5 + // ========== l57 ========== + // MIR edge bb2 --> bb37 + // ========== l65 ========== + // drop Acc(_19.val_bool, write) (Acc(_19.val_bool, write)) + // drop Acc(_29.val_int, write) (Acc(_29.val_int, write)) + // drop Acc(_25.tuple_0, write) (Acc(_25.tuple_0, write)) + // drop Acc(_9.val_bool, write) (Acc(_9.val_bool, write)) + // drop Acc(_28.val_int, write) (Acc(_28.val_int, write)) + // drop Acc(_14.val_bool, write) (Acc(_14.val_bool, write)) + // drop Acc(_23.val_int, write) (Acc(_23.val_int, write)) + // drop Acc(_25.tuple_1.val_bool, write) (Acc(_25.tuple_1.val_bool, write)) + // drop Acc(_26.tuple_1.val_bool, write) (Acc(_26.tuple_1.val_bool, write)) + // drop Acc(_24.val_int, write) (Acc(_24.val_int, write)) + // drop Acc(_26.tuple_0, write) (Acc(_26.tuple_0, write)) + // drop Acc(_22.val_int, write) (Acc(_22.val_int, write)) + // drop Acc(_27.val_bool, write) (Acc(_27.val_bool, write)) + // drop Acc(_25.tuple_1, write) (Acc(_25.tuple_1, write)) + // drop Acc(_26.tuple_1, write) (Acc(_26.tuple_1, write)) + goto loop1_group3_bb6 + + label loop1_group3_bb6 + // ========== bb37 ========== + __t34 := true + // [mir] StorageLive(_64) + // [mir] _0 = const () + // [mir] StorageDead(_64) + // [mir] StorageDead(_7) + // [mir] StorageDead(_5) + // [mir] StorageDead(_4) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l60 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_old$pre$0)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_VecWrapperI32(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label loop1_group3_bb8 + // ========== l58 ========== + // MIR edge bb2 --> bb3 + // ========== loop1_group5_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = const false + _9 := builtin$havoc_ref() + inhale acc(_9.val_bool, write) + _9.val_bool := false + // [mir] switchInt(move _9) -> [0: bb5, otherwise: bb4] + __t51 := _9.val_bool + // Ignore default target bb4, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb1) + fold acc(bool(_5), write) + // obtain acc(bool(_5), write) + fold acc(usize(_4), write) + // obtain acc(usize(_4), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert _3 >= 0 + // obtain (_3) >= (0) + assert 0 <= (unfolding acc(usize(_4), write) in _4.val_int) && + (unfolding acc(usize(_4), write) in _4.val_int) < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + (0 <= _3 && + _3 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) && + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) == + old[pre](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(bool(_5), write) && + (acc(usize(_4), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && _3 >= 0))) + inhale false + goto end_of_method + + label loop1_inv_post_fnspc + // ========== loop1_group3_bb28 ========== + __t25 := true + // [mir] StorageDead(_31) + // [mir] StorageDead(_30) + // [mir] StorageLive(_49) + // [mir] StorageLive(_50) + // [mir] StorageLive(_51) + // [mir] StorageLive(_52) + // [mir] _52 = &mut (*_1) + _52 := builtin$havoc_ref() + inhale acc(_52.val_ref, write) + _52.val_ref := _1.val_ref + label l35 + // [mir] StorageLive(_53) + // [mir] _53 = _4 + _53 := builtin$havoc_int() + _53 := _4.val_int + label l36 + // [mir] _51 = VecWrapperI32::borrow(move _52, move _53) -> [return: bb29, unwind: bb38] + label l37 + assert 0 <= _53 && + _53 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_52.val_ref)) + assert true + assert _53 >= 0 + exhale acc(_52.val_ref, write) && + (acc(struct$m_VecWrapperI32(_52.val_ref), write) && _53 >= 0) + _51 := builtin$havoc_ref() + inhale acc(_51.val_ref, write) && acc(i32(_51.val_ref), write) + inhale true + label l38 + // ========== loop1_group3_bb29 ========== + __t26 := true + // [mir] StorageDead(_53) + // [mir] StorageDead(_52) + // [mir] _50 = (*_51) + _50 := builtin$havoc_int() + unfold acc(i32(_51.val_ref), write) + _50 := _51.val_ref.val_int + label l39 + // expire_borrows ReborrowingDAG(L18,L19,L7,) + + if (__t25) { + // expire loan L18 + _old$l38$0 := _51.val_ref + inhale acc(DeadBorrowToken$(18), write) && acc(i32(_old$l38$0), write) --* + acc(struct$m_VecWrapperI32(old[l37](_52.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref))) == + old[l37](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_52.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref)), + old[l37](_53)) == + old[lhs]((unfolding acc(i32(_old$l38$0), write) in + _old$l38$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref)))) || + (!(_0_quant_0 == old[l37](_53)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref)), + _0_quant_0) == + old[l37](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_52.val_ref), + _0_quant_0))))))) + fold acc(i32(_old$l38$0), write) + inhale acc(DeadBorrowToken$(18), write) + apply acc(DeadBorrowToken$(18), write) && acc(i32(_old$l38$0), write) --* + acc(struct$m_VecWrapperI32(old[l37](_52.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref))) == + old[l37](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_52.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref)), + old[l37](_53)) == + old[lhs]((unfolding acc(i32(_old$l38$0), write) in + _old$l38$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref)))) || + (!(_0_quant_0 == old[l37](_53)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l37](_52.val_ref)), + _0_quant_0) == + old[l37](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_52.val_ref), + _0_quant_0))))))) + } + // [mir] StorageLive(_54) + // [mir] StorageLive(_55) + // [mir] StorageLive(_56) + // [mir] _56 = &mut (*_1) + _56 := builtin$havoc_ref() + inhale acc(_56.val_ref, write) + _56.val_ref := _1.val_ref + label l40 + // [mir] StorageLive(_57) + // [mir] _57 = _22 + _57 := builtin$havoc_int() + _57 := _22.val_int + label l41 + // [mir] _55 = VecWrapperI32::borrow(move _56, move _57) -> [return: bb30, unwind: bb38] + label l42 + assert 0 <= _57 && + _57 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_56.val_ref)) + assert true + assert _57 >= 0 + exhale acc(_56.val_ref, write) && + (acc(struct$m_VecWrapperI32(_56.val_ref), write) && _57 >= 0) + _55 := builtin$havoc_ref() + inhale acc(_55.val_ref, write) && acc(i32(_55.val_ref), write) + inhale true + label l43 + // ========== loop1_group3_bb30 ========== + __t27 := true + // [mir] StorageDead(_57) + // [mir] StorageDead(_56) + // [mir] _54 = (*_55) + _54 := builtin$havoc_int() + unfold acc(i32(_55.val_ref), write) + _54 := _55.val_ref.val_int + label l44 + // expire_borrows ReborrowingDAG(L20,L21,L8,) + + if (__t26) { + // expire loan L20 + _old$l43$0 := _55.val_ref + inhale acc(DeadBorrowToken$(20), write) && acc(i32(_old$l43$0), write) --* + acc(struct$m_VecWrapperI32(old[l42](_56.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref))) == + old[l42](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_56.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref)), + old[l42](_57)) == + old[lhs]((unfolding acc(i32(_old$l43$0), write) in + _old$l43$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref)))) || + (!(_0_quant_0 == old[l42](_57)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref)), + _0_quant_0) == + old[l42](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_56.val_ref), + _0_quant_0))))))) + fold acc(i32(_old$l43$0), write) + inhale acc(DeadBorrowToken$(20), write) + apply acc(DeadBorrowToken$(20), write) && acc(i32(_old$l43$0), write) --* + acc(struct$m_VecWrapperI32(old[l42](_56.val_ref)), write) && + (f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref))) == + old[l42](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_56.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref)), + old[l42](_57)) == + old[lhs]((unfolding acc(i32(_old$l43$0), write) in + _old$l43$0.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref)))) || + (!(_0_quant_0 == old[l42](_57)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l42](_56.val_ref)), + _0_quant_0) == + old[l42](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_56.val_ref), + _0_quant_0))))))) + } + // [mir] _49 = order(move _50, move _54) -> [return: bb31, unwind: bb38] + label l45 + _49 := builtin$havoc_ref() + inhale acc(bool(_49), write) + inhale (unfolding acc(bool(_49), write) in _49.val_bool) == + f_order__$TY$__$int$$$int$$$bool$(_50, _54) + // ========== loop1_group3_bb31 ========== + __t28 := true + // [mir] StorageDead(_55) + // [mir] StorageDead(_54) + // [mir] StorageDead(_51) + // [mir] StorageDead(_50) + // [mir] switchInt(move _49) -> [0: bb34, otherwise: bb32] + unfold acc(bool(_49), write) + __t49 := _49.val_bool + if (!__t49) { + goto loop1_group2a_bb2 + } + goto loop1_group2a_bb1 + + label loop1_inv_post_perm + // ========== l33 ========== + // MIR edge bb19 --> bb27 + // ========== loop1_group3_bb27 ========== + __t24 := true + // [mir] _30 = const () + // [mir] goto -> bb28 + goto loop1_inv_post_fnspc + + label loop1_inv_pre + // ========== l32 ========== + // MIR edge bb19 --> bb25 + // ========== loop1_group3_bb25 ========== + __t22 := true + // [mir] _48 = CheckedAdd(_22, const 1_usize) + _48 := builtin$havoc_ref() + inhale acc(_48.tuple_0, write) + inhale acc(_48.tuple_0.val_int, write) + inhale acc(_48.tuple_1, write) + inhale acc(_48.tuple_1.val_bool, write) + _48.tuple_0.val_int := _22.val_int + 1 + _48.tuple_1.val_bool := false + // [mir] assert(!move (_48.1: bool), "attempt to compute `{} + {}`, which would overflow", _22, const 1_usize) -> [success: bb26, unwind: bb38] + __t48 := _48.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t48 + // ========== loop1_group3_bb26 ========== + __t23 := true + // [mir] _22 = move (_48.0: usize) + _22 := _48.tuple_0 + label l34 + // [mir] _30 = const () + // [mir] goto -> bb28 + // ========== l61 ========== + // drop Acc(_48.tuple_1.val_bool, write) (Acc(_48.tuple_1.val_bool, write)) + // drop Acc(_48.tuple_0, write) (Acc(_48.tuple_0, write)) + // drop Acc(_48.tuple_1, write) (Acc(_48.tuple_1, write)) + goto loop1_inv_post_fnspc + + label loop1_start + // ========== l5 ========== + // MIR edge bb2 --> bb37 + goto end_of_method + + label return + // ========== l2 ========== + // MIR edge bb2 --> bb37 + // ========== l64 ========== + inhale _3 >= 0 + goto loop1_group3_bb6 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--available-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--available-Both.vpr new file mode 100644 index 00000000..ebf1ad45 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--available-Both.vpr @@ -0,0 +1,761 @@ +domain MirrorDomain { + + function mirror_simple$f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(_1: Snap$struct$m_VecVecWrapperI32, + _2: Int, _3: Int): Int + + function mirror_simple$f_size__$TY$__$int$(): Int +} + +domain Snap$struct$m_VecVecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global): Snap$struct$m_VecVecWrapperI32 + + function Snap$struct$m_VecVecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecVecWrapperI32): Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecVecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecVecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecVecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_0)) } + Snap$struct$m_VecVecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$field: Ref + +field f$v: Ref + +field f$x: Ref + +field f$y: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(_1: Snap$struct$m_VecVecWrapperI32, + _2: Int, _3: Int): Int + requires true + requires 0 <= _2 && _2 < f_size__$TY$__$int$() && + (0 <= _3 && _3 < f_size__$TY$__$int$()) + ensures true + ensures [result == + mirror_simple$f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(_1, + _2, _3), + true] + + +function f_size__$TY$__$int$(): Int + requires true + requires true + ensures result == 8 + ensures [result == mirror_simple$f_size__$TY$__$int$(), true] + + +function snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(self: Ref): Snap$struct$m_VecVecWrapperI32 + requires acc(struct$m_VecVecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32((unfolding acc(struct$m_VecVecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_Board(self: Ref) { + acc(self.f$field, write) && + acc(struct$m_VecVecWrapperI32(self.f$field), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_VecVecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self: Ref) + +method m_Board$$available() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Int + var _9: Ref + var _10: Int + var _11: Ref + var _12: Ref + var _13: Int + var _14: Ref + var _15: Int + var _16: Ref + var _17: Ref + var _18: Ref + var _19: Ref + var _20: Ref + var _21: Int + var _22: Int + + label start + // ========== start ========== + // Def path: "Knights_tour::{impl#4}::available" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:180:5: 184:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Board(_1.val_ref), write) && + acc(struct$m_Point(_2), write)) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] _8 = (_2.0: i32) + _8 := builtin$havoc_int() + unfold acc(struct$m_Point(_2), write) + unfold acc(i32(_2.f$x), write) + _8 := _2.f$x.val_int + label l0 + // [mir] _7 = Le(const 0_i32, move _8) + _7 := builtin$havoc_ref() + inhale acc(_7.val_bool, write) + _7.val_bool := 0 <= _8 + // [mir] StorageDead(_8) + // [mir] switchInt(move _7) -> [0: bb7, otherwise: bb8] + __t16 := _7.val_bool + if (!__t16) { + goto bb0 + } + goto return + + label bb0 + // ========== l2 ========== + // MIR edge bb0 --> bb7 + // ========== bb7 ========== + __t3 := true + // [mir] _6 = const false + _6 := builtin$havoc_ref() + inhale acc(_6.val_bool, write) + _6.val_bool := false + // [mir] goto -> bb9 + goto l1 + + label bb10 + // ========== bb6 ========== + __t7 := true + // [mir] StorageDead(_12) + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb1, otherwise: bb2] + __t18 := _5.val_bool + if (!__t18) { + goto bb9 + } + goto bb7 + + label bb4 + // ========== bb14 ========== + __t15 := true + // [mir] StorageDead(_18) + // [mir] StorageDead(_17) + // [mir] StorageDead(_4) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l25 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_Board(_1.val_ref), write) + // obtain acc(struct$m_Board(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(bool(_0), write) + // obtain acc(bool(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(bool(_0), write) in _0.val_bool) ==> + 0 <= + old[pre]((unfolding acc(struct$m_Point(_2), write) in + (unfolding acc(i32(_2.f$x), write) in _2.f$x.val_int))) && + (old[pre]((unfolding acc(struct$m_Point(_2), write) in + (unfolding acc(i32(_2.f$x), write) in _2.f$x.val_int))) < + f_size__$TY$__$int$() && + (0 <= + old[pre]((unfolding acc(struct$m_Point(_2), write) in + (unfolding acc(i32(_2.f$y), write) in _2.f$y.val_int))) && + old[pre]((unfolding acc(struct$m_Point(_2), write) in + (unfolding acc(i32(_2.f$y), write) in _2.f$y.val_int))) < + f_size__$TY$__$int$())) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Board(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(bool(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label bb5 + // ========== l17 ========== + // MIR edge bb3 --> bb12 + // ========== bb12 ========== + __t14 := true + // [mir] _0 = const false + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := false + // [mir] goto -> bb14 + // ========== l30 ========== + unfold acc(struct$m_Board(_1.val_ref), write) + goto bb4 + + label bb7 + // ========== l10 ========== + // MIR edge bb6 --> bb2 + // ========== bb2 ========== + __t8 := true + // [mir] StorageLive(_14) + // [mir] StorageLive(_15) + // [mir] _15 = (_2.1: i32) + _15 := builtin$havoc_int() + _15 := _2.f$y.val_int + label l12 + // [mir] StorageLive(_16) + // [mir] _16 = size() -> [return: bb11, unwind: bb16] + label l13 + _16 := builtin$havoc_ref() + inhale acc(i32(_16), write) + inhale (unfolding acc(i32(_16), write) in _16.val_int) == + f_size__$TY$__$int$() + // ========== bb11 ========== + __t9 := true + // [mir] _14 = Lt(move _15, move _16) + _14 := builtin$havoc_ref() + inhale acc(_14.val_bool, write) + unfold acc(i32(_16), write) + _14.val_bool := _15 < _16.val_int + // [mir] StorageDead(_16) + // [mir] StorageDead(_15) + // [mir] _4 = move _14 + _4 := _14 + label l14 + // [mir] goto -> bb3 + // ========== l28 ========== + // drop Acc(_16.val_int, write) (Acc(_16.val_int, write)) + // drop Acc(_15.val_int, write) (Acc(_15.val_int, write)) + goto l6 + + label bb8 + // ========== l7 ========== + // MIR edge bb9 --> bb4 + // ========== bb4 ========== + __t6 := true + // [mir] _5 = const false + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := false + // [mir] goto -> bb6 + // ========== l27 ========== + unfold acc(i32(_2.f$y), write) + goto bb10 + + label bb9 + // ========== l11 ========== + // MIR edge bb6 --> bb1 + // ========== bb1 ========== + __t10 := true + // [mir] _4 = const false + _4 := builtin$havoc_ref() + inhale acc(_4.val_bool, write) + _4.val_bool := false + // [mir] goto -> bb3 + goto l6 + + label l1 + // ========== bb9 ========== + __t4 := true + // [mir] StorageDead(_9) + // [mir] StorageDead(_7) + // [mir] switchInt(move _6) -> [0: bb4, otherwise: bb5] + __t17 := _6.val_bool + if (!__t17) { + goto bb8 + } + goto l2 + + label l2 + // ========== l6 ========== + // MIR edge bb9 --> bb5 + // ========== bb5 ========== + __t5 := true + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = (_2.1: i32) + _13 := builtin$havoc_int() + unfold acc(i32(_2.f$y), write) + _13 := _2.f$y.val_int + label l8 + // [mir] _12 = Le(const 0_i32, move _13) + _12 := builtin$havoc_ref() + inhale acc(_12.val_bool, write) + _12.val_bool := 0 <= _13 + // [mir] StorageDead(_13) + // [mir] _5 = move _12 + _5 := _12 + label l9 + // [mir] goto -> bb6 + // ========== l26 ========== + // drop Acc(_13.val_int, write) (Acc(_13.val_int, write)) + goto bb10 + + label l6 + // ========== bb3 ========== + __t11 := true + // [mir] StorageDead(_14) + // [mir] StorageDead(_5) + // [mir] FakeRead(ForLet(None), _4) + // [mir] StorageLive(_17) + // [mir] _17 = _4 + _17 := builtin$havoc_ref() + inhale acc(_17.val_bool, write) + _17.val_bool := _4.val_bool + label l15 + // [mir] switchInt(move _17) -> [0: bb12, otherwise: bb13] + __t19 := _17.val_bool + if (!__t19) { + goto bb5 + } + goto l7 + + label l7 + // ========== l16 ========== + // MIR edge bb3 --> bb13 + // ========== bb13 ========== + __t12 := true + // [mir] StorageLive(_18) + // [mir] StorageLive(_19) + // [mir] StorageLive(_20) + // [mir] _20 = &((*_1).0: VecVecWrapperI32) + _20 := builtin$havoc_ref() + inhale acc(_20.val_ref, write) + unfold acc(struct$m_Board(_1.val_ref), write) + _20.val_ref := _1.val_ref.f$field + exhale acc(struct$m_VecVecWrapperI32(_1.val_ref.f$field), write - read$()) + inhale acc(struct$m_VecVecWrapperI32(_20.val_ref), read$()) + label l18 + // [mir] StorageLive(_21) + // [mir] _21 = (_2.0: i32) + _21 := builtin$havoc_int() + _21 := _2.f$x.val_int + label l19 + // [mir] StorageLive(_22) + // [mir] _22 = (_2.1: i32) + _22 := builtin$havoc_int() + _22 := _2.f$y.val_int + label l20 + // [mir] _19 = VecVecWrapperI32::lookup(move _20, move _21, move _22) -> [return: bb15, unwind: bb16] + label l21 + _19 := builtin$havoc_ref() + inhale acc(i32(_19), write) + inhale (unfolding acc(i32(_19), write) in _19.val_int) == + f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(_20.val_ref), + _21, _22) + // transfer perm _20.val_ref --> old[l21](_20.val_ref) // unchecked: false + // ========== l22 ========== + // MIR edge bb13 --> bb15 + // Expire borrows + // expire_borrows ReborrowingDAG(L4,L0,) + + if (__t12 && __t12) { + // expire loan L0 + // transfer perm old[l21](_20.val_ref) --> old[l18](_20.val_ref) // unchecked: false + exhale acc(struct$m_VecVecWrapperI32(old[l18](_20.val_ref)), read$()) + inhale acc(struct$m_VecVecWrapperI32(_1.val_ref.f$field), write - + read$()) + } + // ========== bb15 ========== + __t13 := true + // [mir] StorageDead(_22) + // [mir] StorageDead(_21) + // [mir] StorageDead(_20) + // [mir] _18 = Eq(move _19, const 0_i32) + _18 := builtin$havoc_ref() + inhale acc(_18.val_bool, write) + unfold acc(i32(_19), write) + _18.val_bool := _19.val_int == 0 + // [mir] StorageDead(_19) + // [mir] _0 = move _18 + _0 := _18 + label l23 + // [mir] goto -> bb14 + // ========== l29 ========== + // drop Acc(_21.val_int, write) (Acc(_21.val_int, write)) + // drop Acc(old[l18](_20.val_ref), write) (Acc(old[l18](_20.val_ref), write)) + // drop Acc(_19.val_int, write) (Acc(_19.val_int, write)) + // drop Acc(_22.val_int, write) (Acc(_22.val_int, write)) + // drop Acc(_20.val_ref, write) (Acc(_20.val_ref, write)) + goto bb4 + + label return + // ========== l1 ========== + // MIR edge bb0 --> bb8 + // ========== bb8 ========== + __t1 := true + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = (_2.0: i32) + _10 := builtin$havoc_int() + _10 := _2.f$x.val_int + label l3 + // [mir] StorageLive(_11) + // [mir] _11 = size() -> [return: bb10, unwind: bb16] + label l4 + _11 := builtin$havoc_ref() + inhale acc(i32(_11), write) + inhale (unfolding acc(i32(_11), write) in _11.val_int) == + f_size__$TY$__$int$() + // ========== bb10 ========== + __t2 := true + // [mir] _9 = Lt(move _10, move _11) + _9 := builtin$havoc_ref() + inhale acc(_9.val_bool, write) + unfold acc(i32(_11), write) + _9.val_bool := _10 < _11.val_int + // [mir] StorageDead(_11) + // [mir] StorageDead(_10) + // [mir] _6 = move _9 + _6 := _9 + label l5 + // [mir] goto -> bb9 + // ========== l24 ========== + // drop Acc(_11.val_int, write) (Acc(_11.val_int, write)) + // drop Acc(_10.val_int, write) (Acc(_10.val_int, write)) + goto l1 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--count_degree-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--count_degree-Both.vpr new file mode 100644 index 00000000..97719051 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--count_degree-Both.vpr @@ -0,0 +1,1092 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(_1: Snap$struct$m_VecWrapperI32I32): Int + + function mirror_simple$f_size__$TY$__$int$(): Int +} + +domain Snap$struct$m_VecWrapperI32I32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32I32 + + function Snap$struct$m_VecWrapperI32I32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32I32): Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32I32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32I32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32I32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_0)) } + Snap$struct$m_VecWrapperI32I32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(_1: Snap$struct$m_VecWrapperI32I32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(_1), + true] + + +function f_size__$TY$__$int$(): Int + requires true + requires true + ensures result == 8 + ensures [result == mirror_simple$f_size__$TY$__$int$(), true] + + +function snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(self: Ref): Snap$struct$m_VecWrapperI32I32 + requires acc(struct$m_VecWrapperI32I32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32((unfolding acc(struct$m_VecWrapperI32I32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_Board(self: Ref) + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_VecWrapperI32I32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple2$i32$i32(self: Ref) + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_Board$$count_degree() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var _preserve$0: Ref + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Int + var _10: Int + var _11: Ref + var _14: Ref + var _16: Ref + var _20: Ref + var _24: Ref + var _25: Ref + var _26: Int + var _27: Ref + var _28: Ref + var _29: Ref + var _30: Ref + var _32: Ref + var _33: Ref + var _34: Ref + var _35: Ref + var _36: Ref + var _37: Int + var _38: Int + var _39: Ref + + label start + // ========== start ========== + // Def path: "Knights_tour::{impl#4}::count_degree" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:187:5: 205:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Board(_1.val_ref), write) && + acc(struct$m_Point(_2), write)) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_4) + // [mir] _4 = move _2 + _4 := _2 + label l0 + // [mir] FakeRead(ForLet(None), _4) + // [mir] StorageLive(_5) + // [mir] _5 = const 0_i32 + _5 := builtin$havoc_ref() + inhale acc(_5.val_int, write) + _5.val_int := 0 + // [mir] FakeRead(ForLet(None), _5) + // [mir] StorageLive(_6) + // [mir] _6 = moves() -> [return: bb1, unwind: bb24] + label l1 + _6 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32I32(_6), write) + inhale true + label l2 + // ========== bb1 ========== + __t1 := true + // [mir] FakeRead(ForLet(None), _6) + // [mir] StorageLive(_7) + // [mir] _7 = const 0_usize + _7 := builtin$havoc_ref() + inhale acc(_7.val_int, write) + _7.val_int := 0 + // [mir] FakeRead(ForLet(None), _7) + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = _7 + _9 := builtin$havoc_int() + _9 := _7.val_int + label l3 + // [mir] StorageLive(_10) + // [mir] StorageLive(_11) + // [mir] _11 = &_6 + _11 := builtin$havoc_ref() + inhale acc(_11.val_ref, write) + _11.val_ref := _6 + exhale acc(struct$m_VecWrapperI32I32(_6), write - read$()) + inhale acc(struct$m_VecWrapperI32I32(_11.val_ref), read$()) + label l4 + // [mir] _10 = VecWrapperI32I32::len(move _11) -> [return: bb2, unwind: bb23] + label l5 + _10 := builtin$havoc_int() + inhale _10 >= 0 + inhale _10 == + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_11.val_ref)) + // transfer perm _11.val_ref --> old[l5](_11.val_ref) // unchecked: false + // ========== l6 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L14,L0,) + + if (__t1 && __t1) { + // expire loan L0 + // transfer perm old[l5](_11.val_ref) --> old[l4](_11.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32I32(old[l4](_11.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32I32(_6), write - read$()) + } + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_11) + // [mir] _8 = Lt(move _9, move _10) + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + inhale _10 >= 0 + _8.val_bool := _9 < _10 + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] FakeRead(ForLet(None), _8) + // [mir] StorageLive(_12) + // [mir] goto -> bb3 + // ========== loop3_start ========== + // ========== loop3_group1_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb23] + // ========== loop3_group1_bb4 ========== + __t4 := true + // [mir] StorageLive(_14) + // [mir] _14 = _8 + _14 := builtin$havoc_ref() + inhale acc(_14.val_bool, write) + _14.val_bool := _8.val_bool + label l7 + // [mir] switchInt(move _14) -> [0: bb21, otherwise: bb5] + __t21 := _14.val_bool + if (__t21) { + goto bb0 + } + goto return + + label bb0 + // ========== l9 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group2_bb5 ========== + __t5 := true + // [mir] StorageLive(_15) + // [mir] StorageLive(_16) + // [mir] _16 = const false + _16 := builtin$havoc_ref() + inhale acc(_16.val_bool, write) + _16.val_bool := false + // [mir] switchInt(move _16) -> [0: bb7, otherwise: bb6] + __t22 := _16.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb3) + _preserve$0 := _1.val_ref + fold acc(i32(_5), write) + // obtain acc(i32(_5), write) + fold acc(usize(_7), write) + // obtain acc(usize(_7), write) + fold acc(bool(_8), write) + // obtain acc(bool(_8), write) + // obtain acc(struct$m_VecWrapperI32I32(_6), write) + // obtain acc(struct$m_Point(_4), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_Board(_1.val_ref), write) + assert 0 <= (unfolding acc(usize(_7), write) in _7.val_int) && + (unfolding acc(usize(_7), write) in _7.val_int) < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_6)) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(i32(_5), write) && + (acc(usize(_7), write) && + (acc(bool(_8), write) && + (acc(struct$m_VecWrapperI32I32(_6), write) && + (acc(struct$m_Point(_4), write) && + (acc(_1.val_ref, read$()) && acc(struct$m_Board(_1.val_ref), write)))))) + _14 := builtin$havoc_ref() + _16 := builtin$havoc_ref() + _20 := builtin$havoc_ref() + _24 := builtin$havoc_ref() + _25 := builtin$havoc_ref() + _26 := builtin$havoc_int() + _27 := builtin$havoc_ref() + _28 := builtin$havoc_ref() + _29 := builtin$havoc_ref() + _30 := builtin$havoc_ref() + _32 := builtin$havoc_ref() + _33 := builtin$havoc_ref() + _34 := builtin$havoc_ref() + _35 := builtin$havoc_ref() + _36 := builtin$havoc_ref() + _37 := builtin$havoc_int() + _38 := builtin$havoc_int() + _39 := builtin$havoc_ref() + _5 := builtin$havoc_ref() + _7 := builtin$havoc_ref() + __t10 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + // ========== loop3_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb3 + inhale acc(i32(_5), write) && + (acc(usize(_7), write) && + (acc(bool(_8), write) && + (acc(struct$m_VecWrapperI32I32(_6), write) && + (acc(struct$m_Point(_4), write) && + (acc(_1.val_ref, read$()) && acc(struct$m_Board(_1.val_ref), write)))))) + inhale _preserve$0 == _1.val_ref + inhale true + // ========== loop3_group2a_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb23] + // ========== loop3_group2a_bb4 ========== + __t4 := true + // [mir] StorageLive(_14) + // [mir] _14 = _8 + _14 := builtin$havoc_ref() + inhale acc(_14.val_bool, write) + unfold acc(bool(_8), write) + _14.val_bool := _8.val_bool + label l10 + // [mir] switchInt(move _14) -> [0: bb21, otherwise: bb5] + __t23 := _14.val_bool + if (__t23) { + goto l6 + } + goto bb1 + + label bb1 + // ========== l11 ========== + // MIR edge bb4 --> bb21 + goto end_of_method + + label bb2 + // ========== l29 ========== + // MIR edge bb14 --> bb15 + // ========== loop3_group3_bb15 ========== + __t13 := true + // [mir] _35 = CheckedAdd(_5, const 1_i32) + _35 := builtin$havoc_ref() + inhale acc(_35.tuple_0, write) + inhale acc(_35.tuple_0.val_int, write) + inhale acc(_35.tuple_1, write) + inhale acc(_35.tuple_1.val_bool, write) + unfold acc(i32(_5), write) + _35.tuple_0.val_int := _5.val_int + 1 + _35.tuple_1.val_bool := false + // [mir] assert(!move (_35.1: bool), "attempt to compute `{} + {}`, which would overflow", _5, const 1_i32) -> [success: bb16, unwind: bb23] + __t27 := _35.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t27 + // ========== loop3_group3_bb16 ========== + __t14 := true + // [mir] _5 = move (_35.0: i32) + _5 := _35.tuple_0 + label l31 + // [mir] _31 = const () + // [mir] goto -> bb18 + // ========== l41 ========== + // drop Acc(_35.tuple_0, write) (Acc(_35.tuple_0, write)) + // drop Acc(_35.tuple_1.val_bool, write) (Acc(_35.tuple_1.val_bool, write)) + // drop Acc(_35.tuple_1, write) (Acc(_35.tuple_1, write)) + goto loop3_group1_bb3 + + label l6 + // ========== l12 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group2b_bb5 ========== + __t5 := true + // [mir] StorageLive(_15) + // [mir] StorageLive(_16) + // [mir] _16 = const false + _16 := builtin$havoc_ref() + inhale acc(_16.val_bool, write) + _16.val_bool := false + // [mir] switchInt(move _16) -> [0: bb7, otherwise: bb6] + __t24 := _16.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb3 + inhale 0 <= (unfolding acc(usize(_7), write) in _7.val_int) && + (unfolding acc(usize(_7), write) in _7.val_int) < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_6)) + // ========== loop3_group3_bb7 ========== + __t6 := true + // [mir] _15 = const () + // [mir] goto -> bb8 + // ========== loop3_group3_bb8 ========== + __t7 := true + // [mir] StorageDead(_16) + // [mir] StorageDead(_15) + // [mir] StorageLive(_19) + // [mir] StorageLive(_20) + // [mir] _20 = const false + _20 := builtin$havoc_ref() + inhale acc(_20.val_bool, write) + _20.val_bool := false + // [mir] switchInt(move _20) -> [0: bb10, otherwise: bb9] + __t25 := _20.val_bool + // Ignore default target bb9, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_group3_bb10 ========== + __t8 := true + // [mir] _19 = const () + // [mir] goto -> bb11 + // ========== loop3_group3_bb11 ========== + __t9 := true + // [mir] StorageDead(_20) + // [mir] StorageDead(_19) + // [mir] StorageLive(_24) + // [mir] StorageLive(_25) + // [mir] _25 = &mut _6 + _25 := builtin$havoc_ref() + inhale acc(_25.val_ref, write) + _25.val_ref := _6 + label l13 + // [mir] StorageLive(_26) + // [mir] _26 = _7 + _26 := builtin$havoc_int() + unfold acc(usize(_7), write) + _26 := _7.val_int + label l14 + // [mir] _24 = VecWrapperI32I32::lookup(move _25, move _26) -> [return: bb12, unwind: bb23] + label l15 + assert 0 <= _26 && + _26 < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_25.val_ref)) + assert true + assert _26 >= 0 + exhale acc(_25.val_ref, write) && + (acc(struct$m_VecWrapperI32I32(_25.val_ref), write) && _26 >= 0) + _24 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32I32(old[l15](_25.val_ref)), write) + inhale acc(tuple2$i32$i32(_24), write) + inhale true + label l16 + // ========== l17 ========== + // MIR edge bb11 --> bb12 + // Expire borrows + // expire_borrows ReborrowingDAG(L16,L4,) + + // ========== loop3_group3_bb12 ========== + __t10 := true + // [mir] StorageDead(_26) + // [mir] StorageDead(_25) + // [mir] FakeRead(ForLet(None), _24) + // [mir] StorageLive(_27) + // [mir] StorageLive(_28) + // [mir] _28 = &mut _4 + _28 := builtin$havoc_ref() + inhale acc(_28.val_ref, write) + _28.val_ref := _4 + label l18 + // [mir] StorageLive(_29) + // [mir] StorageLive(_30) + // [mir] _30 = &mut _24 + _30 := builtin$havoc_ref() + inhale acc(_30.val_ref, write) + _30.val_ref := _24 + label l19 + // [mir] _29 = &mut (*_30) + _29 := builtin$havoc_ref() + inhale acc(_29.val_ref, write) + _29.val_ref := _30.val_ref + label l20 + // [mir] _27 = Point::mov(move _28, move _29) -> [return: bb13, unwind: bb23] + label l21 + assert true + exhale acc(_28.val_ref, write) && + (acc(struct$m_Point(_28.val_ref), write) && + (acc(_29.val_ref, write) && acc(tuple2$i32$i32(_29.val_ref), write))) + _27 := builtin$havoc_ref() + inhale acc(struct$m_Point(old[l21](_28.val_ref)), write) && + acc(tuple2$i32$i32(old[l21](_29.val_ref)), write) + inhale acc(struct$m_Point(_27), write) + inhale true + inhale (unfolding acc(struct$m_Point(old[l21](_28.val_ref)), write) in + (unfolding acc(i32(old[l21](_28.val_ref).f$y), write) in + (unfolding acc(i32(old[l21](_28.val_ref).f$x), write) in + old[l21](_28.val_ref).f$x.val_int == + old[l21]((unfolding acc(struct$m_Point(_28.val_ref), write) in + (unfolding acc(i32(_28.val_ref.f$x), write) in + _28.val_ref.f$x.val_int))) && + old[l21](_28.val_ref).f$y.val_int == + old[l21]((unfolding acc(struct$m_Point(_28.val_ref), write) in + (unfolding acc(i32(_28.val_ref.f$y), write) in + _28.val_ref.f$y.val_int)))))) + label l22 + // ========== l23 ========== + // MIR edge bb12 --> bb13 + // Expire borrows + // expire_borrows ReborrowingDAG(L18,L17,L7,L6,L5,) + + // ========== loop3_group3_bb13 ========== + __t11 := true + // [mir] StorageDead(_29) + // [mir] StorageDead(_28) + // [mir] FakeRead(ForLet(None), _27) + // [mir] StorageDead(_30) + // [mir] StorageLive(_31) + // [mir] StorageLive(_32) + // [mir] StorageLive(_33) + // [mir] _33 = &mut (*_1) + _33 := builtin$havoc_ref() + inhale acc(_33.val_ref, write) + _33.val_ref := _1.val_ref + label l24 + // [mir] StorageLive(_34) + // [mir] _34 = move _27 + _34 := _27 + label l25 + // [mir] _32 = Board::available(move _33, move _34) -> [return: bb14, unwind: bb23] + label l26 + assert true + exhale acc(_33.val_ref, write) && + (acc(struct$m_Board(_33.val_ref), write) && + acc(struct$m_Point(_34), write)) + _32 := builtin$havoc_ref() + inhale acc(struct$m_Board(old[l26](_33.val_ref)), write) + inhale acc(bool(_32), write) + inhale true + inhale (unfolding acc(bool(_32), write) in _32.val_bool) ==> + 0 <= + old[l26]((unfolding acc(struct$m_Point(_34), write) in + (unfolding acc(i32(_34.f$x), write) in _34.f$x.val_int))) && + (old[l26]((unfolding acc(struct$m_Point(_34), write) in + (unfolding acc(i32(_34.f$x), write) in _34.f$x.val_int))) < + f_size__$TY$__$int$() && + (0 <= + old[l26]((unfolding acc(struct$m_Point(_34), write) in + (unfolding acc(i32(_34.f$y), write) in _34.f$y.val_int))) && + old[l26]((unfolding acc(struct$m_Point(_34), write) in + (unfolding acc(i32(_34.f$y), write) in _34.f$y.val_int))) < + f_size__$TY$__$int$())) + label l27 + // ========== l28 ========== + // MIR edge bb13 --> bb14 + // Expire borrows + // expire_borrows ReborrowingDAG(L15,L8,) + + // ========== loop3_group3_bb14 ========== + __t12 := true + // [mir] StorageDead(_34) + // [mir] StorageDead(_33) + // [mir] switchInt(move _32) -> [0: bb17, otherwise: bb15] + unfold acc(bool(_32), write) + __t26 := _32.val_bool + if (!__t26) { + goto loop3_start + } + goto bb2 + + label l8 + // ========== bb21 ========== + __t19 := true + // [mir] StorageLive(_41) + // [mir] _12 = const () + // [mir] StorageDead(_41) + // [mir] StorageDead(_14) + // [mir] StorageDead(_12) + // [mir] _0 = _5 + _0 := builtin$havoc_ref() + inhale acc(_0.val_int, write) + _0.val_int := _5.val_int + label l40 + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] drop(_6) -> [return: bb22, unwind: bb24] + // ========== bb22 ========== + __t20 := true + // [mir] StorageDead(_6) + // [mir] StorageDead(_5) + // [mir] StorageDead(_4) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l42 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(struct$m_Board(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0), write) + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Board(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label l9 + // ========== l39 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group5_bb5 ========== + __t5 := true + // [mir] StorageLive(_15) + // [mir] StorageLive(_16) + // [mir] _16 = const false + _16 := builtin$havoc_ref() + inhale acc(_16.val_bool, write) + _16.val_bool := false + // [mir] switchInt(move _16) -> [0: bb7, otherwise: bb6] + __t30 := _16.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb3) + fold acc(i32(_5), write) + // obtain acc(i32(_5), write) + fold acc(usize(_7), write) + // obtain acc(usize(_7), write) + fold acc(bool(_8), write) + // obtain acc(bool(_8), write) + // obtain acc(struct$m_VecWrapperI32I32(_6), write) + // obtain acc(struct$m_Point(_4), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_Board(_1.val_ref), write) + assert 0 <= (unfolding acc(usize(_7), write) in _7.val_int) && + (unfolding acc(usize(_7), write) in _7.val_int) < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_6)) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(i32(_5), write) && + (acc(usize(_7), write) && + (acc(bool(_8), write) && + (acc(struct$m_VecWrapperI32I32(_6), write) && + (acc(struct$m_Point(_4), write) && + (acc(_1.val_ref, read$()) && acc(struct$m_Board(_1.val_ref), write)))))) + inhale false + goto end_of_method + + label loop3_group1_bb3 + // ========== loop3_group3_bb18 ========== + __t16 := true + // [mir] StorageDead(_32) + // [mir] StorageDead(_31) + // [mir] _36 = CheckedAdd(_7, const 1_usize) + _36 := builtin$havoc_ref() + inhale acc(_36.tuple_0, write) + inhale acc(_36.tuple_0.val_int, write) + inhale acc(_36.tuple_1, write) + inhale acc(_36.tuple_1.val_bool, write) + _36.tuple_0.val_int := _7.val_int + 1 + _36.tuple_1.val_bool := false + // [mir] assert(!move (_36.1: bool), "attempt to compute `{} + {}`, which would overflow", _7, const 1_usize) -> [success: bb19, unwind: bb23] + __t28 := _36.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t28 + // ========== loop3_group3_bb19 ========== + __t17 := true + // [mir] _7 = move (_36.0: usize) + _7 := _36.tuple_0 + label l32 + // [mir] StorageLive(_37) + // [mir] _37 = _7 + _37 := builtin$havoc_int() + _37 := _7.val_int + label l33 + // [mir] StorageLive(_38) + // [mir] StorageLive(_39) + // [mir] _39 = &_6 + _39 := builtin$havoc_ref() + inhale acc(_39.val_ref, write) + _39.val_ref := _6 + exhale acc(struct$m_VecWrapperI32I32(_6), write - read$()) + inhale acc(struct$m_VecWrapperI32I32(_39.val_ref), read$()) + label l34 + // [mir] _38 = VecWrapperI32I32::len(move _39) -> [return: bb20, unwind: bb23] + label l35 + _38 := builtin$havoc_int() + inhale _38 >= 0 + inhale _38 == + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_39.val_ref)) + // transfer perm _39.val_ref --> old[l35](_39.val_ref) // unchecked: false + // ========== l36 ========== + // MIR edge bb19 --> bb20 + // Expire borrows + // expire_borrows ReborrowingDAG(L13,L9,) + + if (__t17 && __t17) { + // expire loan L9 + // transfer perm old[l35](_39.val_ref) --> old[l34](_39.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32I32(old[l34](_39.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32I32(_6), write - read$()) + } + // ========== loop3_group3_bb20 ========== + __t18 := true + // [mir] StorageDead(_39) + // [mir] _8 = Lt(move _37, move _38) + inhale _38 >= 0 + _8.val_bool := _37 < _38 + // [mir] StorageDead(_38) + // [mir] StorageDead(_37) + // [mir] _13 = const () + // [mir] StorageDead(_27) + // [mir] StorageDead(_24) + // [mir] StorageDead(_14) + // [mir] goto -> bb3 + // ========== loop3_group4_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb23] + // ========== loop3_group4_bb4 ========== + __t4 := true + // [mir] StorageLive(_14) + // [mir] _14 = _8 + _14 := builtin$havoc_ref() + inhale acc(_14.val_bool, write) + _14.val_bool := _8.val_bool + label l37 + // [mir] switchInt(move _14) -> [0: bb21, otherwise: bb5] + __t29 := _14.val_bool + if (__t29) { + goto l9 + } + goto loop3_group1_bb4 + + label loop3_group1_bb4 + // ========== l38 ========== + // MIR edge bb4 --> bb21 + // ========== l44 ========== + // drop Acc(_16.val_bool, write) (Acc(_16.val_bool, write)) + // drop Acc(_20.val_bool, write) (Acc(_20.val_bool, write)) + // drop Acc(_36.tuple_0, write) (Acc(_36.tuple_0, write)) + // drop Acc(_36.tuple_1.val_bool, write) (Acc(_36.tuple_1.val_bool, write)) + // drop Acc(_39.val_ref, write) (Acc(_39.val_ref, write)) + // drop Acc(_30.val_ref, write) (Acc(_30.val_ref, write)) + // drop Acc(_38.val_int, write) (Acc(_38.val_int, write)) + // drop Acc(_32.val_bool, write) (Acc(_32.val_bool, write)) + // drop Acc(_37.val_int, write) (Acc(_37.val_int, write)) + // drop Acc(old[l34](_39.val_ref), write) (Acc(old[l34](_39.val_ref), write)) + // drop Pred(_24, write) (Pred(_24, write)) + // drop Acc(_36.tuple_1, write) (Acc(_36.tuple_1, write)) + goto l8 + + label loop3_start + // ========== l30 ========== + // MIR edge bb14 --> bb17 + // ========== loop3_group3_bb17 ========== + __t15 := true + // [mir] _31 = const () + // [mir] goto -> bb18 + // ========== l43 ========== + unfold acc(i32(_5), write) + goto loop3_group1_bb3 + + label return + // ========== l8 ========== + // MIR edge bb4 --> bb21 + goto l8 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--new-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--new-Both.vpr new file mode 100644 index 00000000..4ec05208 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Board--new-Both.vpr @@ -0,0 +1,320 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$field: Ref + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate struct$m_Board(self: Ref) { + acc(self.f$field, write) && + acc(struct$m_VecVecWrapperI32(self.f$field), write) +} + +predicate struct$m_VecVecWrapperI32(self: Ref) + +method m_Board$$new() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var _2: Ref + + label start + // ========== start ========== + // Def path: "Knights_tour::{impl#4}::new" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:173:5: 177:6 (#0) + __t0 := false + __t1 := false + __t2 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] _2 = VecVecWrapperI32::new() -> [return: bb1, unwind: bb3] + label l0 + _2 := builtin$havoc_ref() + inhale acc(struct$m_VecVecWrapperI32(_2), write) + inhale true + label l1 + // ========== bb1 ========== + __t1 := true + // [mir] _0 = Board { field: move _2 } + _0 := builtin$havoc_ref() + inhale acc(struct$m_Board(_0), write) + unfold acc(struct$m_Board(_0), write) + _0.f$field := _2 + label l2 + // [mir] drop(_2) -> [return: bb2, unwind: bb3] + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l4 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(struct$m_Board(_0), write) + // obtain acc(struct$m_Board(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(struct$m_Board(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--clone-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--clone-Both.vpr new file mode 100644 index 00000000..56a59161 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--clone-Both.vpr @@ -0,0 +1,366 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$x: Ref + +field f$y: Ref + +field val_int: Int + +field val_ref: Ref + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +method m_Point$$clone() returns (_0: Ref) +{ + var __t0: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + + label start + // ========== start ========== + // Def path: "Knights_tour::{impl#3}::clone" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:151:5: 156:6 (#0) + __t0 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(struct$m_Point(_1.val_ref), write) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] _2 = ((*_1).0: i32) + _2 := builtin$havoc_ref() + inhale acc(_2.val_int, write) + unfold acc(struct$m_Point(_1.val_ref), write) + unfold acc(i32(_1.val_ref.f$x), write) + _2.val_int := _1.val_ref.f$x.val_int + label l0 + // [mir] StorageLive(_3) + // [mir] _3 = ((*_1).1: i32) + _3 := builtin$havoc_ref() + inhale acc(_3.val_int, write) + unfold acc(i32(_1.val_ref.f$y), write) + _3.val_int := _1.val_ref.f$y.val_int + label l1 + // [mir] _0 = Point { x: move _2, y: move _3 } + _0 := builtin$havoc_ref() + inhale acc(struct$m_Point(_0), write) + unfold acc(struct$m_Point(_0), write) + _0.f$x := _2 + label l2 + _0.f$y := _3 + label l3 + // [mir] StorageDead(_3) + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l5 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref.f$y), write) + fold acc(i32(_1.val_ref.f$x), write) + fold acc(struct$m_Point(_1.val_ref), write) + // obtain acc(struct$m_Point(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0.f$y), write) + fold acc(i32(_0.f$x), write) + fold acc(struct$m_Point(_0), write) + // obtain acc(struct$m_Point(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(struct$m_Point(_old$pre$0), write) in + (unfolding acc(i32(_old$pre$0.f$y), write) in + (unfolding acc(i32(_old$pre$0.f$x), write) in + (unfolding acc(struct$m_Point(_0), write) in + (unfolding acc(i32(_0.f$y), write) in + (unfolding acc(i32(_0.f$x), write) in + _0.f$x.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$x), write) in + _1.val_ref.f$x.val_int))) && + (_0.f$y.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$y), write) in + _1.val_ref.f$y.val_int))) && + (_old$pre$0.f$x.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$x), write) in + _1.val_ref.f$x.val_int))) && + _old$pre$0.f$y.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$y), write) in + _1.val_ref.f$y.val_int))))))))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Point(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(struct$m_Point(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--mov-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--mov-Both.vpr new file mode 100644 index 00000000..20beebdb --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--Point--mov-Both.vpr @@ -0,0 +1,454 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate tuple2$i32$i32(self: Ref) { + acc(self.tuple_0, write) && + (acc(i32(self.tuple_0), write) && + (acc(self.tuple_1, write) && acc(i32(self.tuple_1), write))) +} + +method m_Point$$mov() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var _old$pre$0: Ref + var _old$pre$1: Ref + var _1: Ref + var _2: Ref + var _3: Int + var _4: Int + var _5: Ref + var _6: Int + var _7: Int + var _8: Ref + var _9: Ref + var _10: Int + var _11: Int + var _12: Ref + + label start + // ========== start ========== + // Def path: "Knights_tour::{impl#3}::mov" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:141:5: 146:6 (#0) + __t0 := false + __t1 := false + __t2 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Point(_1.val_ref), write) && + (acc(_2.val_ref, write) && acc(tuple2$i32$i32(_2.val_ref), write))) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] _3 = ((*_2).0: i32) + _3 := builtin$havoc_int() + unfold acc(tuple2$i32$i32(_2.val_ref), write) + unfold acc(i32(_2.val_ref.tuple_0), write) + _3 := _2.val_ref.tuple_0.val_int + label l0 + // [mir] StorageLive(_4) + // [mir] _4 = ((*_2).1: i32) + _4 := builtin$havoc_int() + unfold acc(i32(_2.val_ref.tuple_1), write) + _4 := _2.val_ref.tuple_1.val_int + label l1 + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = ((*_1).0: i32) + _6 := builtin$havoc_int() + unfold acc(struct$m_Point(_1.val_ref), write) + unfold acc(i32(_1.val_ref.f$x), write) + _6 := _1.val_ref.f$x.val_int + label l2 + // [mir] StorageLive(_7) + // [mir] _7 = _3 + _7 := builtin$havoc_int() + _7 := _3 + label l3 + // [mir] _8 = CheckedAdd(_6, _7) + _8 := builtin$havoc_ref() + inhale acc(_8.tuple_0, write) + inhale acc(_8.tuple_0.val_int, write) + inhale acc(_8.tuple_1, write) + inhale acc(_8.tuple_1.val_bool, write) + _8.tuple_0.val_int := _6 + _7 + _8.tuple_1.val_bool := false + // [mir] assert(!move (_8.1: bool), "attempt to compute `{} + {}`, which would overflow", move _6, move _7) -> [success: bb1, unwind: bb3] + __t3 := _8.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t3 + // ========== bb1 ========== + __t1 := true + // [mir] _5 = move (_8.0: i32) + _5 := _8.tuple_0 + label l4 + // [mir] StorageDead(_7) + // [mir] StorageDead(_6) + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = ((*_1).1: i32) + _10 := builtin$havoc_int() + unfold acc(i32(_1.val_ref.f$y), write) + _10 := _1.val_ref.f$y.val_int + label l5 + // [mir] StorageLive(_11) + // [mir] _11 = _4 + _11 := builtin$havoc_int() + _11 := _4 + label l6 + // [mir] _12 = CheckedAdd(_10, _11) + _12 := builtin$havoc_ref() + inhale acc(_12.tuple_0, write) + inhale acc(_12.tuple_0.val_int, write) + inhale acc(_12.tuple_1, write) + inhale acc(_12.tuple_1.val_bool, write) + _12.tuple_0.val_int := _10 + _11 + _12.tuple_1.val_bool := false + // [mir] assert(!move (_12.1: bool), "attempt to compute `{} + {}`, which would overflow", move _10, move _11) -> [success: bb2, unwind: bb3] + __t4 := _12.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t4 + // ========== bb2 ========== + __t2 := true + // [mir] _9 = move (_12.0: i32) + _9 := _12.tuple_0 + label l7 + // [mir] StorageDead(_11) + // [mir] StorageDead(_10) + // [mir] _0 = Point { x: move _5, y: move _9 } + _0 := builtin$havoc_ref() + inhale acc(struct$m_Point(_0), write) + unfold acc(struct$m_Point(_0), write) + _0.f$x := _5 + label l8 + _0.f$y := _9 + label l9 + // [mir] StorageDead(_9) + // [mir] StorageDead(_5) + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l11 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref.f$y), write) + fold acc(i32(_1.val_ref.f$x), write) + fold acc(struct$m_Point(_1.val_ref), write) + // obtain acc(struct$m_Point(_1.val_ref), write) + _old$pre$0 := _1.val_ref + fold acc(i32(_2.val_ref.tuple_1), write) + fold acc(i32(_2.val_ref.tuple_0), write) + fold acc(tuple2$i32$i32(_2.val_ref), write) + // obtain acc(tuple2$i32$i32(_2.val_ref), write) + _old$pre$1 := _2.val_ref + // Fold the result + fold acc(i32(_0.f$y), write) + fold acc(i32(_0.f$x), write) + fold acc(struct$m_Point(_0), write) + // obtain acc(struct$m_Point(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(struct$m_Point(_old$pre$0), write) in + (unfolding acc(i32(_old$pre$0.f$y), write) in + (unfolding acc(i32(_old$pre$0.f$x), write) in + _old$pre$0.f$x.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$x), write) in + _1.val_ref.f$x.val_int))) && + _old$pre$0.f$y.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$y), write) in + _1.val_ref.f$y.val_int)))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Point(_old$pre$0), write) && + acc(tuple2$i32$i32(_old$pre$1), write) + // Exhale permissions of postcondition (2/3) + exhale acc(struct$m_Point(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--knights_tour-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--knights_tour-Both.vpr new file mode 100644 index 00000000..9eb85664 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--knights_tour-Both.vpr @@ -0,0 +1,3680 @@ +domain MirrorDomain { + + function mirror_simple$f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(_1: Snap$struct$m_VecCandidates): Int + + function mirror_simple$f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(_1: Snap$struct$m_VecVecWrapperI32, + _2: Int, _3: Int): Int + + function mirror_simple$f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(_1: Snap$struct$m_VecWrapperI32I32): Int + + function mirror_simple$f_size__$TY$__$int$(): Int + + function mirror_simple$f_valid__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$bool$(_1: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_): Bool +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0: Snap$struct$m_Board): Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board(self: Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_): Snap$struct$m_Board + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Board, _r_0: Snap$struct$m_Board :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Board :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Board :: + { Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0)) == + _0) + } +} + +domain Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(): Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0: Snap$tuple2$i32$struct$m_Point): Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ + + function Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(self: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_): Snap$tuple2$i32$struct$m_Point + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$injectivity { + (forall _l_0: Snap$tuple2$i32$struct$m_Point, _r_0: Snap$tuple2$i32$struct$m_Point :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$discriminant_axiom { + (forall _0: Snap$tuple2$i32$struct$m_Point :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0$axiom { + (forall _0: Snap$tuple2$i32$struct$m_Point :: + { Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Board { + + function cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_0: Snap$struct$m_VecVecWrapperI32): Snap$struct$m_Board + + function Snap$struct$m_Board$0$field$f$field__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32(self: Snap$struct$m_Board): Snap$struct$m_VecVecWrapperI32 + + axiom Snap$struct$m_Board$0$injectivity { + (forall _l_0: Snap$struct$m_VecVecWrapperI32, _r_0: Snap$struct$m_VecVecWrapperI32 :: + { cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_l_0), + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_r_0) } + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_l_0) == + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_Board$0$field$f$field$axiom { + (forall _0: Snap$struct$m_VecVecWrapperI32 :: + { Snap$struct$m_Board$0$field$f$field__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32(cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_0)) } + Snap$struct$m_Board$0$field$f$field__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32(cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_VecCandidates { + + function cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates(_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global): Snap$struct$m_VecCandidates + + function Snap$struct$m_VecCandidates$0$field$f$v__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecCandidates): Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecCandidates$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates(_l_0), + cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecCandidates$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecCandidates$0$field$f$v__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates(_0)) } + Snap$struct$m_VecCandidates$0$field$f$v__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates(_0)) == + _0) + } +} + +domain Snap$struct$m_VecVecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global): Snap$struct$m_VecVecWrapperI32 + + function Snap$struct$m_VecVecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecVecWrapperI32): Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecVecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecVecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecVecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_0)) } + Snap$struct$m_VecVecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_VecWrapperI32I32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32I32 + + function Snap$struct$m_VecWrapperI32I32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32I32): Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32I32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32I32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32I32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_0)) } + Snap$struct$m_VecWrapperI32I32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global { + + +} + +domain Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global { + + +} + +domain Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global { + + +} + +domain Snap$tuple2$i32$struct$m_Point { + + function cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0: Int, + _1: Snap$struct$m_Point): Snap$tuple2$i32$struct$m_Point + + function Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self: Snap$tuple2$i32$struct$m_Point): Int + + function Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(self: Snap$tuple2$i32$struct$m_Point): Snap$struct$m_Point + + axiom Snap$tuple2$i32$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Snap$struct$m_Point, _r_0: Int, _r_1: Snap$struct$m_Point :: + { cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$tuple2$i32$struct$m_Point$0$field$tuple_0$axiom { + (forall _0: Int, _1: Snap$struct$m_Point :: + { Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) } + Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$tuple2$i32$struct$m_Point$0$field$tuple_0$valid { + (forall self: Snap$tuple2$i32$struct$m_Point :: + { Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self) && + Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$tuple2$i32$struct$m_Point$0$field$tuple_1$axiom { + (forall _0: Int, _1: Snap$struct$m_Point :: + { Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) } + Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$field: Ref + +field f$v: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(_1: Snap$struct$m_VecCandidates): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(_1), + true] + + +function f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(_1: Snap$struct$m_VecVecWrapperI32, + _2: Int, _3: Int): Int + requires true + requires 0 <= _2 && _2 < f_size__$TY$__$int$() && + (0 <= _3 && _3 < f_size__$TY$__$int$()) + ensures true + ensures [result == + mirror_simple$f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(_1, + _2, _3), + true] + + +function f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(_1: Snap$struct$m_VecWrapperI32I32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(_1), + true] + + +function f_size__$TY$__$int$(): Int + requires true + requires true + ensures result == 8 + ensures [result == mirror_simple$f_size__$TY$__$int$(), true] + + +function f_valid__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$bool$(_1: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_valid__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$bool$(_1), + true] +{ + !(discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(_1) == + 0) ==> + (!(0 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(_1)))) ==> + false) && + (0 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(_1))) ==> + (!(Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(_1))) < + f_size__$TY$__$int$()) ==> + false) && + (Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(_1))) < + f_size__$TY$__$int$() ==> + 0 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(_1))) && + (0 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(_1))) ==> + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(_1))) < + f_size__$TY$__$int$()))) +} + +function m_std$$option$$Option$_beg_$struct$m_Board$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) in + self.discriminant) +} + +function m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(self.enum_Some), read$()) in + snap$__$TY$__Snap$struct$m_Board$struct$m_Board$Snap$struct$m_Board(self.enum_Some.f$0)))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_()) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ + requires acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_((unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(self.enum_Some), read$()) in + snap$__$TY$__Snap$tuple2$i32$struct$m_Point$tuple2$i32$struct$m_Point$Snap$tuple2$i32$struct$m_Point(self.enum_Some.f$0)))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Board$struct$m_Board$Snap$struct$m_Board(self: Ref): Snap$struct$m_Board + requires acc(struct$m_Board(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board((unfolding acc(struct$m_Board(self), read$()) in + snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(self.f$field))) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(self: Ref): Snap$struct$m_VecCandidates + requires acc(struct$m_VecCandidates(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecCandidates$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_VecCandidates((unfolding acc(struct$m_VecCandidates(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(self: Ref): Snap$struct$m_VecVecWrapperI32 + requires acc(struct$m_VecVecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecVecWrapperI32$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_VecVecWrapperI32((unfolding acc(struct$m_VecVecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(self: Ref): Snap$struct$m_VecWrapperI32I32 + requires acc(struct$m_VecWrapperI32I32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32I32$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32I32((unfolding acc(struct$m_VecWrapperI32I32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self), read$()) + + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(self), read$()) + + +function snap$__$TY$__Snap$tuple2$i32$struct$m_Point$tuple2$i32$struct$m_Point$Snap$tuple2$i32$struct$m_Point(self: Ref): Snap$tuple2$i32$struct$m_Point + requires acc(tuple2$i32$struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point((unfolding acc(tuple2$i32$struct$m_Point(self), read$()) in + (unfolding acc(i32(self.tuple_0), read$()) in self.tuple_0.val_int)), (unfolding acc(tuple2$i32$struct$m_Point(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.tuple_1))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_Board$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(struct$m_Board(self.f$0), write) +} + +predicate m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(tuple2$i32$struct$m_Point(self.f$0), write) +} + +predicate struct$m_Board(self: Ref) { + acc(self.f$field, write) && + acc(struct$m_VecVecWrapperI32(self.f$field), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_VecCandidates(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_VecVecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_VecWrapperI32I32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$alloc$$Global(self: Ref) + +predicate struct$m_std$$vec$$Vec$tuple2$i32$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate struct$m_std$$vec$$Vec$tuple2$i32$struct$m_Point$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) + +predicate tuple2$i32$i32(self: Ref) + +predicate tuple2$i32$struct$m_Point(self: Ref) { + acc(self.tuple_0, write) && + (acc(i32(self.tuple_0), write) && + (acc(self.tuple_1, write) && acc(struct$m_Point(self.tuple_1), write))) +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_knights_tour() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var __t31: Bool + var __t32: Bool + var __t33: Bool + var __t34: Bool + var __t35: Bool + var __t36: Bool + var __t37: Bool + var __t38: Bool + var __t39: Bool + var __t40: Bool + var __t41: Bool + var __t42: Bool + var __t43: Bool + var __t44: Bool + var __t45: Bool + var __t46: Bool + var __t47: Bool + var __t48: Bool + var __t49: Bool + var __t50: Bool + var __t51: Bool + var __t52: Bool + var __t53: Bool + var __t54: Bool + var __t55: Bool + var __t56: Bool + var __t57: Bool + var __t58: Bool + var __t59: Bool + var __t60: Bool + var __t61: Bool + var __t62: Bool + var __t63: Bool + var __t64: Bool + var __t65: Bool + var __t66: Bool + var __t67: Bool + var __t68: Bool + var __t69: Bool + var __t70: Bool + var __t71: Bool + var __t72: Bool + var __t73: Bool + var __t74: Bool + var __t75: Bool + var __t76: Bool + var __t77: Bool + var __t78: Bool + var __t79: Bool + var __t80: Bool + var __t81: Bool + var __t82: Bool + var __t83: Bool + var __t84: Bool + var __t85: Bool + var __t86: Bool + var __t87: Bool + var __t88: Bool + var __t89: Bool + var __t90: Bool + var __t91: Bool + var __t92: Bool + var __t93: Bool + var __t94: Bool + var __t95: Bool + var __t96: Bool + var __t97: Bool + var __t98: Bool + var __t99: Bool + var __t100: Bool + var __t101: Bool + var __t102: Bool + var __t103: Bool + var __t104: Bool + var __t105: Bool + var __t106: Bool + var __t107: Bool + var __t108: Bool + var __t109: Bool + var __t110: Bool + var __t111: Bool + var __t112: Int + var __t113: Bool + var __t114: Bool + var __t115: Bool + var __t116: Bool + var __t117: Bool + var __t118: Bool + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Ref + var _11: Ref + var _12: Ref + var _13: Ref + var _14: Ref + var _15: Ref + var _16: Int + var _17: Ref + var _18: Ref + var _19: Ref + var _20: Ref + var _23: Ref + var _25: Ref + var _29: Ref + var _32: Ref + var _33: Ref + var _34: Ref + var _35: Ref + var _36: Int + var _37: Int + var _38: Ref + var _40: Ref + var _42: Ref + var _46: Ref + var _51: Ref + var _55: Ref + var _58: Ref + var _59: Ref + var _60: Int + var _61: Ref + var _62: Ref + var _63: Ref + var _64: Ref + var _66: Ref + var _67: Ref + var _68: Ref + var _69: Ref + var _70: Ref + var _71: Ref + var _72: Ref + var _73: Ref + var _74: Ref + var _75: Ref + var _76: Ref + var _77: Ref + var _78: Ref + var _79: Ref + var _80: Int + var _81: Int + var _82: Ref + var _86: Ref + var _87: Ref + var _88: Int + var _89: Int + var _90: Ref + var _91: Ref + var _92: Ref + var _93: Ref + var _94: Ref + var _95: Ref + var _97: Ref + var _99: Ref + var _103: Ref + var _108: Ref + var _111: Int + var _112: Ref + var _113: Ref + var _114: Ref + var _115: Int + var _117: Ref + var _118: Int + var _119: Int + var _120: Ref + var _121: Ref + var _122: Ref + var _123: Ref + var _124: Ref + var _125: Ref + var _126: Int + var _127: Int + var _128: Ref + var _133: Int + var _134: Ref + var _135: Ref + var _136: Ref + var _137: Ref + var _138: Ref + var _139: Ref + var _140: Ref + var _141: Ref + var _142: Ref + var _143: Ref + var _144: Int + var _145: Ref + var _146: Ref + var _147: Ref + var _148: Ref + var _149: Ref + var _150: Ref + var _154: Ref + var _156: Ref + + label start + // ========== start ========== + // Def path: "Knights_tour::knights_tour" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:236:1: 301:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + __t21 := false + __t22 := false + __t23 := false + __t24 := false + __t25 := false + __t26 := false + __t27 := false + __t28 := false + __t29 := false + __t30 := false + __t31 := false + __t32 := false + __t33 := false + __t34 := false + __t35 := false + __t36 := false + __t37 := false + __t38 := false + __t39 := false + __t40 := false + __t41 := false + __t42 := false + __t43 := false + __t44 := false + __t45 := false + __t46 := false + __t47 := false + __t48 := false + __t49 := false + __t50 := false + __t51 := false + __t52 := false + __t53 := false + __t54 := false + __t55 := false + __t56 := false + __t57 := false + __t58 := false + __t59 := false + __t60 := false + __t61 := false + __t62 := false + __t63 := false + __t64 := false + __t65 := false + __t66 := false + __t67 := false + __t68 := false + __t69 := false + __t70 := false + __t71 := false + __t72 := false + __t73 := false + __t74 := false + __t75 := false + __t76 := false + __t77 := false + __t78 := false + __t79 := false + __t80 := false + __t81 := false + __t82 := false + // Preconditions: + inhale acc(i32(_1), write) && acc(i32(_2), write) + inhale true + inhale 0 <= (unfolding acc(i32(_1), write) in _1.val_int) && + ((unfolding acc(i32(_1), write) in _1.val_int) < f_size__$TY$__$int$() && + (0 <= (unfolding acc(i32(_2), write) in _2.val_int) && + (unfolding acc(i32(_2), write) in _2.val_int) < f_size__$TY$__$int$())) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] _3 = Board::new() -> [return: bb1, unwind: bb95] + label l0 + _3 := builtin$havoc_ref() + inhale acc(struct$m_Board(_3), write) + inhale true + label l1 + // ========== bb1 ========== + __t1 := true + // [mir] FakeRead(ForLet(None), _3) + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] _5 = _1 + _5 := builtin$havoc_ref() + inhale acc(_5.val_int, write) + unfold acc(i32(_1), write) + _5.val_int := _1.val_int + label l2 + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_ref() + inhale acc(_6.val_int, write) + unfold acc(i32(_2), write) + _6.val_int := _2.val_int + label l3 + // [mir] _4 = Point { x: move _5, y: move _6 } + _4 := builtin$havoc_ref() + inhale acc(struct$m_Point(_4), write) + unfold acc(struct$m_Point(_4), write) + _4.f$x := _5 + label l4 + _4.f$y := _6 + label l5 + // [mir] StorageDead(_6) + // [mir] StorageDead(_5) + // [mir] FakeRead(ForLet(None), _4) + // [mir] StorageLive(_7) + // [mir] _7 = const 1_i32 + _7 := builtin$havoc_ref() + inhale acc(_7.val_int, write) + _7.val_int := 1 + // [mir] FakeRead(ForLet(None), _7) + // [mir] StorageLive(_8) + // [mir] _8 = const false + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := false + // [mir] FakeRead(ForLet(None), _8) + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = &mut (_3.0: VecVecWrapperI32) + _10 := builtin$havoc_ref() + inhale acc(_10.val_ref, write) + unfold acc(struct$m_Board(_3), write) + _10.val_ref := _3.f$field + label l6 + // [mir] StorageLive(_11) + // [mir] _11 = (_4.0: i32) + _11 := builtin$havoc_ref() + inhale acc(_11.val_int, write) + _11.val_int := _4.f$x.val_int + label l7 + // [mir] StorageLive(_12) + // [mir] _12 = (_4.1: i32) + _12 := builtin$havoc_ref() + inhale acc(_12.val_int, write) + _12.val_int := _4.f$y.val_int + label l8 + // [mir] StorageLive(_13) + // [mir] _13 = _7 + _13 := builtin$havoc_ref() + inhale acc(_13.val_int, write) + _13.val_int := _7.val_int + label l9 + // [mir] _9 = VecVecWrapperI32::store(move _10, move _11, move _12, move _13) -> [return: bb2, unwind: bb94] + label l10 + assert 0 <= _11.val_int && _11.val_int < f_size__$TY$__$int$() && + (0 <= _12.val_int && _12.val_int < f_size__$TY$__$int$()) + assert true + fold acc(i32(_11), write) + fold acc(i32(_12), write) + fold acc(i32(_13), write) + exhale acc(_10.val_ref, write) && + (acc(struct$m_VecVecWrapperI32(_10.val_ref), write) && + (acc(i32(_11), write) && (acc(i32(_12), write) && acc(i32(_13), write)))) + _9 := builtin$havoc_ref() + inhale acc(struct$m_VecVecWrapperI32(old[l10](_10.val_ref)), write) + inhale acc(tuple0$(_9), write) + inhale true + inhale f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(old[l10](_10.val_ref)), + old[l10](_11.val_int), old[l10](_12.val_int)) == + old[l10](_13.val_int) && + (forall _0_quant_0: Int, _1_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < f_size__$TY$__$int$()) || + (_0_quant_0 == old[l10](_11.val_int) || + (!(0 <= _1_quant_0) || + (!(_1_quant_0 < f_size__$TY$__$int$()) || + (!(_1_quant_0 == old[l10](_12.val_int)) ==> + f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(old[l10](_10.val_ref)), + _0_quant_0, _1_quant_0) == + old[l10](f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(_10.val_ref), + _0_quant_0, _1_quant_0)))))))) + label l11 + // ========== l12 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L31,L0,) + + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_13) + // [mir] StorageDead(_12) + // [mir] StorageDead(_11) + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] _14 = CheckedAdd(_7, const 1_i32) + _14 := builtin$havoc_ref() + inhale acc(_14.tuple_0, write) + inhale acc(_14.tuple_0.val_int, write) + inhale acc(_14.tuple_1, write) + inhale acc(_14.tuple_1.val_bool, write) + _14.tuple_0.val_int := _7.val_int + 1 + _14.tuple_1.val_bool := false + // [mir] assert(!move (_14.1: bool), "attempt to compute `{} + {}`, which would overflow", _7, const 1_i32) -> [success: bb3, unwind: bb94] + __t83 := _14.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t83 + // ========== bb3 ========== + __t3 := true + // [mir] _7 = move (_14.0: i32) + _7 := _14.tuple_0 + label l13 + // [mir] StorageLive(_15) + // [mir] StorageLive(_16) + // [mir] _16 = _7 + _16 := builtin$havoc_int() + _16 := _7.val_int + label l14 + // [mir] StorageLive(_17) + // [mir] StorageLive(_18) + // [mir] _18 = size() -> [return: bb4, unwind: bb94] + label l15 + _18 := builtin$havoc_ref() + inhale acc(i32(_18), write) + inhale (unfolding acc(i32(_18), write) in _18.val_int) == + f_size__$TY$__$int$() + // ========== bb4 ========== + __t4 := true + // [mir] StorageLive(_19) + // [mir] _19 = size() -> [return: bb5, unwind: bb94] + label l16 + _19 := builtin$havoc_ref() + inhale acc(i32(_19), write) + inhale (unfolding acc(i32(_19), write) in _19.val_int) == + f_size__$TY$__$int$() + // ========== bb5 ========== + __t5 := true + // [mir] _20 = CheckedMul(_18, _19) + _20 := builtin$havoc_ref() + inhale acc(_20.tuple_0, write) + inhale acc(_20.tuple_0.val_int, write) + inhale acc(_20.tuple_1, write) + inhale acc(_20.tuple_1.val_bool, write) + unfold acc(i32(_18), write) + unfold acc(i32(_19), write) + _20.tuple_0.val_int := _18.val_int * _19.val_int + _20.tuple_1.val_bool := false + // [mir] assert(!move (_20.1: bool), "attempt to compute `{} * {}`, which would overflow", move _18, move _19) -> [success: bb6, unwind: bb94] + __t84 := _20.tuple_1.val_bool + // Rust assertion: attempt to multiply with overflow + assert !__t84 + // ========== bb6 ========== + __t6 := true + // [mir] _17 = move (_20.0: i32) + _17 := _20.tuple_0 + label l17 + // [mir] StorageDead(_19) + // [mir] StorageDead(_18) + // [mir] _15 = Le(move _16, move _17) + _15 := builtin$havoc_ref() + inhale acc(_15.val_bool, write) + _15.val_bool := _16 <= _17.val_int + // [mir] StorageDead(_17) + // [mir] StorageDead(_16) + // [mir] FakeRead(ForLet(None), _15) + // [mir] StorageLive(_21) + // [mir] goto -> bb7 + // ========== loop7_start ========== + // ========== loop7_group1_bb7 ========== + // This is a loop head + __t7 := true + // [mir] falseUnwind -> [real: bb8, unwind: bb94] + // ========== loop7_group1_bb8 ========== + __t8 := true + // [mir] StorageLive(_23) + // [mir] _23 = _15 + _23 := builtin$havoc_ref() + inhale acc(_23.val_bool, write) + _23.val_bool := _15.val_bool + label l18 + // [mir] switchInt(move _23) -> [0: bb85, otherwise: bb9] + __t85 := _23.val_bool + if (__t85) { + goto bb1 + } + goto bb0 + + label bb0 + // ========== l19 ========== + // MIR edge bb8 --> bb85 + goto loop7_group3_bb18 + + label bb1 + // ========== l20 ========== + // MIR edge bb8 --> bb9 + // ========== loop7_group2_bb9 ========== + __t9 := true + // [mir] StorageLive(_24) + // [mir] StorageLive(_25) + // [mir] _25 = const false + _25 := builtin$havoc_ref() + inhale acc(_25.val_bool, write) + _25.val_bool := false + // [mir] switchInt(move _25) -> [0: bb11, otherwise: bb10] + __t86 := _25.val_bool + // Ignore default target bb10, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb7) + fold acc(bool(_8), write) + // obtain acc(bool(_8), write) + fold acc(i32(_4.f$y), write) + fold acc(i32(_4.f$x), write) + fold acc(struct$m_Point(_4), write) + // obtain acc(struct$m_Point(_4), write) + fold acc(i32(_7), write) + // obtain acc(i32(_7), write) + fold acc(bool(_15), write) + // obtain acc(bool(_15), write) + fold acc(struct$m_Board(_3), write) + // obtain acc(struct$m_Board(_3), write) + assert 0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) < + f_size__$TY$__$int$()) + assert true + exhale acc(bool(_8), write) && + (acc(struct$m_Point(_4), write) && + (acc(i32(_7), write) && + (acc(bool(_15), write) && acc(struct$m_Board(_3), write)))) + _103 := builtin$havoc_ref() + _108 := builtin$havoc_ref() + _111 := builtin$havoc_int() + _112 := builtin$havoc_ref() + _113 := builtin$havoc_ref() + _114 := builtin$havoc_ref() + _115 := builtin$havoc_int() + _117 := builtin$havoc_ref() + _118 := builtin$havoc_int() + _119 := builtin$havoc_int() + _120 := builtin$havoc_ref() + _121 := builtin$havoc_ref() + _122 := builtin$havoc_ref() + _123 := builtin$havoc_ref() + _124 := builtin$havoc_ref() + _125 := builtin$havoc_ref() + _126 := builtin$havoc_int() + _127 := builtin$havoc_int() + _128 := builtin$havoc_ref() + _133 := builtin$havoc_int() + _134 := builtin$havoc_ref() + _135 := builtin$havoc_ref() + _136 := builtin$havoc_ref() + _137 := builtin$havoc_ref() + _138 := builtin$havoc_ref() + _139 := builtin$havoc_ref() + _140 := builtin$havoc_ref() + _141 := builtin$havoc_ref() + _142 := builtin$havoc_ref() + _143 := builtin$havoc_ref() + _144 := builtin$havoc_int() + _145 := builtin$havoc_ref() + _146 := builtin$havoc_ref() + _147 := builtin$havoc_ref() + _148 := builtin$havoc_ref() + _149 := builtin$havoc_ref() + _15 := builtin$havoc_ref() + _150 := builtin$havoc_ref() + _23 := builtin$havoc_ref() + _25 := builtin$havoc_ref() + _29 := builtin$havoc_ref() + _32 := builtin$havoc_ref() + _33 := builtin$havoc_ref() + _34 := builtin$havoc_ref() + _35 := builtin$havoc_ref() + _36 := builtin$havoc_int() + _37 := builtin$havoc_int() + _38 := builtin$havoc_ref() + _4 := builtin$havoc_ref() + _40 := builtin$havoc_ref() + _42 := builtin$havoc_ref() + _46 := builtin$havoc_ref() + _51 := builtin$havoc_ref() + _55 := builtin$havoc_ref() + _58 := builtin$havoc_ref() + _59 := builtin$havoc_ref() + _60 := builtin$havoc_int() + _61 := builtin$havoc_ref() + _62 := builtin$havoc_ref() + _63 := builtin$havoc_ref() + _64 := builtin$havoc_ref() + _66 := builtin$havoc_ref() + _67 := builtin$havoc_ref() + _68 := builtin$havoc_ref() + _69 := builtin$havoc_ref() + _7 := builtin$havoc_ref() + _70 := builtin$havoc_ref() + _71 := builtin$havoc_ref() + _72 := builtin$havoc_ref() + _73 := builtin$havoc_ref() + _74 := builtin$havoc_ref() + _75 := builtin$havoc_ref() + _76 := builtin$havoc_ref() + _77 := builtin$havoc_ref() + _78 := builtin$havoc_ref() + _79 := builtin$havoc_ref() + _80 := builtin$havoc_int() + _81 := builtin$havoc_int() + _82 := builtin$havoc_ref() + _86 := builtin$havoc_ref() + _87 := builtin$havoc_ref() + _88 := builtin$havoc_int() + _89 := builtin$havoc_int() + _90 := builtin$havoc_ref() + _91 := builtin$havoc_ref() + _92 := builtin$havoc_ref() + _93 := builtin$havoc_ref() + _94 := builtin$havoc_ref() + _95 := builtin$havoc_ref() + _97 := builtin$havoc_ref() + _99 := builtin$havoc_ref() + __t10 := builtin$havoc_bool() + __t100 := builtin$havoc_bool() + __t101 := builtin$havoc_bool() + __t102 := builtin$havoc_bool() + __t103 := builtin$havoc_bool() + __t104 := builtin$havoc_bool() + __t105 := builtin$havoc_bool() + __t106 := builtin$havoc_bool() + __t107 := builtin$havoc_bool() + __t108 := builtin$havoc_bool() + __t109 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t110 := builtin$havoc_bool() + __t111 := builtin$havoc_bool() + __t112 := builtin$havoc_int() + __t113 := builtin$havoc_bool() + __t114 := builtin$havoc_bool() + __t115 := builtin$havoc_bool() + __t116 := builtin$havoc_bool() + __t117 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t19 := builtin$havoc_bool() + __t20 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t31 := builtin$havoc_bool() + __t32 := builtin$havoc_bool() + __t33 := builtin$havoc_bool() + __t34 := builtin$havoc_bool() + __t35 := builtin$havoc_bool() + __t36 := builtin$havoc_bool() + __t37 := builtin$havoc_bool() + __t38 := builtin$havoc_bool() + __t39 := builtin$havoc_bool() + __t40 := builtin$havoc_bool() + __t41 := builtin$havoc_bool() + __t42 := builtin$havoc_bool() + __t43 := builtin$havoc_bool() + __t44 := builtin$havoc_bool() + __t45 := builtin$havoc_bool() + __t46 := builtin$havoc_bool() + __t47 := builtin$havoc_bool() + __t48 := builtin$havoc_bool() + __t49 := builtin$havoc_bool() + __t50 := builtin$havoc_bool() + __t51 := builtin$havoc_bool() + __t52 := builtin$havoc_bool() + __t53 := builtin$havoc_bool() + __t54 := builtin$havoc_bool() + __t55 := builtin$havoc_bool() + __t56 := builtin$havoc_bool() + __t57 := builtin$havoc_bool() + __t58 := builtin$havoc_bool() + __t59 := builtin$havoc_bool() + __t60 := builtin$havoc_bool() + __t61 := builtin$havoc_bool() + __t62 := builtin$havoc_bool() + __t63 := builtin$havoc_bool() + __t64 := builtin$havoc_bool() + __t65 := builtin$havoc_bool() + __t66 := builtin$havoc_bool() + __t67 := builtin$havoc_bool() + __t68 := builtin$havoc_bool() + __t69 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t70 := builtin$havoc_bool() + __t71 := builtin$havoc_bool() + __t72 := builtin$havoc_bool() + __t73 := builtin$havoc_bool() + __t74 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t87 := builtin$havoc_bool() + __t88 := builtin$havoc_bool() + __t89 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + __t90 := builtin$havoc_bool() + __t91 := builtin$havoc_bool() + __t92 := builtin$havoc_bool() + __t93 := builtin$havoc_bool() + __t94 := builtin$havoc_bool() + __t95 := builtin$havoc_bool() + __t96 := builtin$havoc_bool() + __t97 := builtin$havoc_bool() + __t98 := builtin$havoc_bool() + __t99 := builtin$havoc_bool() + // ========== loop7_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb7 + inhale acc(bool(_8), write) && + (acc(struct$m_Point(_4), write) && + (acc(i32(_7), write) && + (acc(bool(_15), write) && acc(struct$m_Board(_3), write)))) + inhale true + // ========== loop7_group2a_bb7 ========== + // This is a loop head + __t7 := true + // [mir] falseUnwind -> [real: bb8, unwind: bb94] + // ========== loop7_group2a_bb8 ========== + __t8 := true + // [mir] StorageLive(_23) + // [mir] _23 = _15 + _23 := builtin$havoc_ref() + inhale acc(_23.val_bool, write) + unfold acc(bool(_15), write) + _23.val_bool := _15.val_bool + label l21 + // [mir] switchInt(move _23) -> [0: bb85, otherwise: bb9] + __t87 := _23.val_bool + if (__t87) { + goto bb2 + } + goto l12 + + label bb2 + // ========== l23 ========== + // MIR edge bb8 --> bb9 + // ========== loop7_group2b_bb9 ========== + __t9 := true + // [mir] StorageLive(_24) + // [mir] StorageLive(_25) + // [mir] _25 = const false + _25 := builtin$havoc_ref() + inhale acc(_25.val_bool, write) + _25.val_bool := false + // [mir] switchInt(move _25) -> [0: bb11, otherwise: bb10] + __t88 := _25.val_bool + // Ignore default target bb10, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb7 + inhale 0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) < + f_size__$TY$__$int$()) + // ========== loop7_group3_bb11 ========== + __t10 := true + // [mir] _24 = const () + // [mir] goto -> bb12 + // ========== loop7_group3_bb12 ========== + __t11 := true + // [mir] StorageDead(_25) + // [mir] StorageDead(_24) + // [mir] StorageLive(_28) + // [mir] StorageLive(_29) + // [mir] _29 = const false + _29 := builtin$havoc_ref() + inhale acc(_29.val_bool, write) + _29.val_bool := false + // [mir] switchInt(move _29) -> [0: bb14, otherwise: bb13] + __t89 := _29.val_bool + // Ignore default target bb13, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_bb14 ========== + __t12 := true + // [mir] _28 = const () + // [mir] goto -> bb15 + // ========== loop7_group3_bb15 ========== + __t13 := true + // [mir] StorageDead(_29) + // [mir] StorageDead(_28) + // [mir] StorageLive(_32) + // [mir] _32 = VecCandidates::new() -> [return: bb16, unwind: bb94] + label l24 + _32 := builtin$havoc_ref() + inhale acc(struct$m_VecCandidates(_32), write) + inhale true + inhale f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_32)) == + 0 + label l25 + // ========== loop7_group3_bb16 ========== + __t14 := true + // [mir] FakeRead(ForLet(None), _32) + // [mir] StorageLive(_33) + // [mir] _33 = moves() -> [return: bb17, unwind: bb93] + label l26 + _33 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32I32(_33), write) + inhale true + label l27 + // ========== loop7_group3_bb17 ========== + __t15 := true + // [mir] FakeRead(ForLet(None), _33) + // [mir] StorageLive(_34) + // [mir] _34 = const 0_usize + _34 := builtin$havoc_ref() + inhale acc(_34.val_int, write) + _34.val_int := 0 + // [mir] FakeRead(ForLet(None), _34) + // [mir] StorageLive(_35) + // [mir] StorageLive(_36) + // [mir] _36 = _34 + _36 := builtin$havoc_int() + _36 := _34.val_int + label l28 + // [mir] StorageLive(_37) + // [mir] StorageLive(_38) + // [mir] _38 = &_33 + _38 := builtin$havoc_ref() + inhale acc(_38.val_ref, write) + _38.val_ref := _33 + exhale acc(struct$m_VecWrapperI32I32(_33), write - read$()) + inhale acc(struct$m_VecWrapperI32I32(_38.val_ref), read$()) + label l29 + // [mir] _37 = VecWrapperI32I32::len(move _38) -> [return: bb18, unwind: bb92] + label l30 + _37 := builtin$havoc_int() + inhale _37 >= 0 + inhale _37 == + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_38.val_ref)) + // transfer perm _38.val_ref --> old[l30](_38.val_ref) // unchecked: false + // ========== l31 ========== + // MIR edge bb17 --> bb18 + // Expire borrows + // expire_borrows ReborrowingDAG(L43,L3,) + + if (__t15 && __t15) { + // expire loan L3 + // transfer perm old[l30](_38.val_ref) --> old[l29](_38.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32I32(old[l29](_38.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32I32(_33), write - read$()) + } + // ========== loop7_group3_bb18 ========== + __t16 := true + // [mir] StorageDead(_38) + // [mir] _35 = Lt(move _36, move _37) + _35 := builtin$havoc_ref() + inhale acc(_35.val_bool, write) + inhale _37 >= 0 + _35.val_bool := _36 < _37 + // [mir] StorageDead(_37) + // [mir] StorageDead(_36) + // [mir] FakeRead(ForLet(None), _35) + // [mir] StorageLive(_39) + // [mir] goto -> bb19 + // ========== loop7_group3_loop19_start ========== + // ========== loop7_group3_loop19_group1_bb19 ========== + // This is a loop head + __t17 := true + // [mir] falseUnwind -> [real: bb20, unwind: bb92] + // ========== loop7_group3_loop19_group1_bb20 ========== + __t18 := true + // [mir] StorageLive(_40) + // [mir] _40 = _35 + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + _40.val_bool := _35.val_bool + label l32 + // [mir] switchInt(move _40) -> [0: bb46, otherwise: bb21] + __t90 := _40.val_bool + if (__t90) { + goto bb4 + } + goto bb3 + + label bb3 + // ========== l33 ========== + // MIR edge bb20 --> bb46 + goto l20 + + label bb4 + // ========== l34 ========== + // MIR edge bb20 --> bb21 + // ========== loop7_group3_loop19_group2_bb21 ========== + __t19 := true + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] _42 = const false + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := false + // [mir] switchInt(move _42) -> [0: bb23, otherwise: bb22] + __t91 := _42.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop19_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb19) + fold acc(usize(_34), write) + // obtain acc(usize(_34), write) + fold acc(bool(_35), write) + // obtain acc(bool(_35), write) + // obtain acc(struct$m_VecWrapperI32I32(_33), write) + // obtain acc(struct$m_Point(_4), write) + // obtain acc(struct$m_Board(_3), write) + // obtain acc(struct$m_VecCandidates(_32), write) + assert 0 <= (unfolding acc(usize(_34), write) in _34.val_int) && + ((unfolding acc(usize(_34), write) in _34.val_int) < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_33)) && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) < + f_size__$TY$__$int$()))) + assert true + exhale acc(usize(_34), write) && + (acc(bool(_35), write) && + (acc(struct$m_VecWrapperI32I32(_33), write) && + (acc(struct$m_Point(_4), write) && + (acc(struct$m_Board(_3), write) && + acc(struct$m_VecCandidates(_32), write))))) + _34 := builtin$havoc_ref() + _40 := builtin$havoc_ref() + _42 := builtin$havoc_ref() + _46 := builtin$havoc_ref() + _51 := builtin$havoc_ref() + _55 := builtin$havoc_ref() + _58 := builtin$havoc_ref() + _59 := builtin$havoc_ref() + _60 := builtin$havoc_int() + _61 := builtin$havoc_ref() + _62 := builtin$havoc_ref() + _63 := builtin$havoc_ref() + _64 := builtin$havoc_ref() + _66 := builtin$havoc_ref() + _67 := builtin$havoc_ref() + _68 := builtin$havoc_ref() + _69 := builtin$havoc_ref() + _70 := builtin$havoc_ref() + _71 := builtin$havoc_ref() + _72 := builtin$havoc_ref() + _73 := builtin$havoc_ref() + _74 := builtin$havoc_ref() + _75 := builtin$havoc_ref() + _76 := builtin$havoc_ref() + _77 := builtin$havoc_ref() + _78 := builtin$havoc_ref() + _79 := builtin$havoc_ref() + _80 := builtin$havoc_int() + _81 := builtin$havoc_int() + _82 := builtin$havoc_ref() + __t100 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t19 := builtin$havoc_bool() + __t20 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t31 := builtin$havoc_bool() + __t32 := builtin$havoc_bool() + __t33 := builtin$havoc_bool() + __t34 := builtin$havoc_bool() + __t35 := builtin$havoc_bool() + __t36 := builtin$havoc_bool() + __t37 := builtin$havoc_bool() + __t38 := builtin$havoc_bool() + __t39 := builtin$havoc_bool() + __t92 := builtin$havoc_bool() + __t93 := builtin$havoc_bool() + __t94 := builtin$havoc_bool() + __t95 := builtin$havoc_bool() + __t96 := builtin$havoc_bool() + __t97 := builtin$havoc_bool() + __t98 := builtin$havoc_bool() + __t99 := builtin$havoc_bool() + // ========== loop7_group3_loop19_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb19 + inhale acc(usize(_34), write) && + (acc(bool(_35), write) && + (acc(struct$m_VecWrapperI32I32(_33), write) && + (acc(struct$m_Point(_4), write) && + (acc(struct$m_Board(_3), write) && + acc(struct$m_VecCandidates(_32), write))))) + inhale true + // ========== loop7_group3_loop19_group2a_bb19 ========== + // This is a loop head + __t17 := true + // [mir] falseUnwind -> [real: bb20, unwind: bb92] + // ========== loop7_group3_loop19_group2a_bb20 ========== + __t18 := true + // [mir] StorageLive(_40) + // [mir] _40 = _35 + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + unfold acc(bool(_35), write) + _40.val_bool := _35.val_bool + label l35 + // [mir] switchInt(move _40) -> [0: bb46, otherwise: bb21] + __t92 := _40.val_bool + if (__t92) { + goto bb6 + } + goto bb5 + + label bb5 + // ========== l36 ========== + // MIR edge bb20 --> bb46 + goto end_of_method + + label bb6 + // ========== l37 ========== + // MIR edge bb20 --> bb21 + // ========== loop7_group3_loop19_group2b_bb21 ========== + __t19 := true + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] _42 = const false + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := false + // [mir] switchInt(move _42) -> [0: bb23, otherwise: bb22] + __t93 := _42.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop19_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb19 + inhale 0 <= (unfolding acc(usize(_34), write) in _34.val_int) && + ((unfolding acc(usize(_34), write) in _34.val_int) < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_33)) && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) < + f_size__$TY$__$int$()))) + // ========== loop7_group3_loop19_group3_bb23 ========== + __t20 := true + // [mir] _41 = const () + // [mir] goto -> bb24 + // ========== loop7_group3_loop19_group3_bb24 ========== + __t21 := true + // [mir] StorageDead(_42) + // [mir] StorageDead(_41) + // [mir] StorageLive(_45) + // [mir] StorageLive(_46) + // [mir] _46 = const false + _46 := builtin$havoc_ref() + inhale acc(_46.val_bool, write) + _46.val_bool := false + // [mir] switchInt(move _46) -> [0: bb26, otherwise: bb25] + __t94 := _46.val_bool + // Ignore default target bb25, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop19_group3_bb26 ========== + __t22 := true + // [mir] _45 = const () + // [mir] goto -> bb27 + // ========== loop7_group3_loop19_group3_bb27 ========== + __t23 := true + // [mir] StorageDead(_46) + // [mir] StorageDead(_45) + // [mir] StorageLive(_50) + // [mir] StorageLive(_51) + // [mir] _51 = const false + _51 := builtin$havoc_ref() + inhale acc(_51.val_bool, write) + _51.val_bool := false + // [mir] switchInt(move _51) -> [0: bb29, otherwise: bb28] + __t95 := _51.val_bool + // Ignore default target bb28, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop19_group3_bb29 ========== + __t24 := true + // [mir] _50 = const () + // [mir] goto -> bb30 + // ========== loop7_group3_loop19_group3_bb30 ========== + __t25 := true + // [mir] StorageDead(_51) + // [mir] StorageDead(_50) + // [mir] StorageLive(_54) + // [mir] StorageLive(_55) + // [mir] _55 = const false + _55 := builtin$havoc_ref() + inhale acc(_55.val_bool, write) + _55.val_bool := false + // [mir] switchInt(move _55) -> [0: bb32, otherwise: bb31] + __t96 := _55.val_bool + // Ignore default target bb31, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop19_group3_bb32 ========== + __t26 := true + // [mir] _54 = const () + // [mir] goto -> bb33 + // ========== loop7_group3_loop19_group3_bb33 ========== + __t27 := true + // [mir] StorageDead(_55) + // [mir] StorageDead(_54) + // [mir] StorageLive(_58) + // [mir] StorageLive(_59) + // [mir] _59 = &mut _33 + _59 := builtin$havoc_ref() + inhale acc(_59.val_ref, write) + _59.val_ref := _33 + label l38 + // [mir] StorageLive(_60) + // [mir] _60 = _34 + _60 := builtin$havoc_int() + unfold acc(usize(_34), write) + _60 := _34.val_int + label l39 + // [mir] _58 = VecWrapperI32I32::lookup(move _59, move _60) -> [return: bb34, unwind: bb92] + label l40 + assert 0 <= _60 && + _60 < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_59.val_ref)) + assert true + assert _60 >= 0 + exhale acc(_59.val_ref, write) && + (acc(struct$m_VecWrapperI32I32(_59.val_ref), write) && _60 >= 0) + _58 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32I32(old[l40](_59.val_ref)), write) + inhale acc(tuple2$i32$i32(_58), write) + inhale true + label l41 + // ========== l42 ========== + // MIR edge bb33 --> bb34 + // Expire borrows + // expire_borrows ReborrowingDAG(L30,L9,) + + // ========== loop7_group3_loop19_group3_bb34 ========== + __t28 := true + // [mir] StorageDead(_60) + // [mir] StorageDead(_59) + // [mir] FakeRead(ForLet(None), _58) + // [mir] StorageLive(_61) + // [mir] StorageLive(_62) + // [mir] _62 = &mut _4 + _62 := builtin$havoc_ref() + inhale acc(_62.val_ref, write) + _62.val_ref := _4 + label l43 + // [mir] StorageLive(_63) + // [mir] StorageLive(_64) + // [mir] _64 = &mut _58 + _64 := builtin$havoc_ref() + inhale acc(_64.val_ref, write) + _64.val_ref := _58 + label l44 + // [mir] _63 = &mut (*_64) + _63 := builtin$havoc_ref() + inhale acc(_63.val_ref, write) + _63.val_ref := _64.val_ref + label l45 + // [mir] _61 = Point::mov(move _62, move _63) -> [return: bb35, unwind: bb92] + label l46 + assert true + exhale acc(_62.val_ref, write) && + (acc(struct$m_Point(_62.val_ref), write) && + (acc(_63.val_ref, write) && acc(tuple2$i32$i32(_63.val_ref), write))) + _61 := builtin$havoc_ref() + inhale acc(struct$m_Point(old[l46](_62.val_ref)), write) && + acc(tuple2$i32$i32(old[l46](_63.val_ref)), write) + inhale acc(struct$m_Point(_61), write) + inhale true + inhale (unfolding acc(struct$m_Point(old[l46](_62.val_ref)), write) in + (unfolding acc(i32(old[l46](_62.val_ref).f$y), write) in + (unfolding acc(i32(old[l46](_62.val_ref).f$x), write) in + old[l46](_62.val_ref).f$x.val_int == + old[l46]((unfolding acc(struct$m_Point(_62.val_ref), write) in + (unfolding acc(i32(_62.val_ref.f$x), write) in + _62.val_ref.f$x.val_int))) && + old[l46](_62.val_ref).f$y.val_int == + old[l46]((unfolding acc(struct$m_Point(_62.val_ref), write) in + (unfolding acc(i32(_62.val_ref.f$y), write) in + _62.val_ref.f$y.val_int)))))) + label l47 + // ========== l48 ========== + // MIR edge bb34 --> bb35 + // Expire borrows + // expire_borrows ReborrowingDAG(L36,L35,L12,L11,L10,) + + // ========== loop7_group3_loop19_group3_bb35 ========== + __t29 := true + // [mir] StorageDead(_63) + // [mir] StorageDead(_62) + // [mir] FakeRead(ForLet(None), _61) + // [mir] StorageDead(_64) + // [mir] StorageLive(_65) + // [mir] StorageLive(_66) + // [mir] StorageLive(_67) + // [mir] _67 = &mut _3 + _67 := builtin$havoc_ref() + inhale acc(_67.val_ref, write) + _67.val_ref := _3 + label l49 + // [mir] StorageLive(_68) + // [mir] StorageLive(_69) + // [mir] _69 = &mut _61 + _69 := builtin$havoc_ref() + inhale acc(_69.val_ref, write) + _69.val_ref := _61 + label l50 + // [mir] _68 = Point::clone(move _69) -> [return: bb36, unwind: bb92] + label l51 + assert true + exhale acc(_69.val_ref, write) && acc(struct$m_Point(_69.val_ref), write) + _68 := builtin$havoc_ref() + inhale acc(struct$m_Point(old[l51](_69.val_ref)), write) + inhale acc(struct$m_Point(_68), write) + inhale true + inhale (unfolding acc(struct$m_Point(old[l51](_69.val_ref)), write) in + (unfolding acc(i32(old[l51](_69.val_ref).f$y), write) in + (unfolding acc(i32(old[l51](_69.val_ref).f$x), write) in + (unfolding acc(struct$m_Point(_68), write) in + (unfolding acc(i32(_68.f$y), write) in + (unfolding acc(i32(_68.f$x), write) in + _68.f$x.val_int == + old[l51]((unfolding acc(struct$m_Point(_69.val_ref), write) in + (unfolding acc(i32(_69.val_ref.f$x), write) in + _69.val_ref.f$x.val_int))) && + (_68.f$y.val_int == + old[l51]((unfolding acc(struct$m_Point(_69.val_ref), write) in + (unfolding acc(i32(_69.val_ref.f$y), write) in + _69.val_ref.f$y.val_int))) && + (old[l51](_69.val_ref).f$x.val_int == + old[l51]((unfolding acc(struct$m_Point(_69.val_ref), write) in + (unfolding acc(i32(_69.val_ref.f$x), write) in + _69.val_ref.f$x.val_int))) && + old[l51](_69.val_ref).f$y.val_int == + old[l51]((unfolding acc(struct$m_Point(_69.val_ref), write) in + (unfolding acc(i32(_69.val_ref.f$y), write) in + _69.val_ref.f$y.val_int))))))))))) + label l52 + // ========== l53 ========== + // MIR edge bb35 --> bb36 + // Expire borrows + // expire_borrows ReborrowingDAG(L32,L14,) + + // ========== loop7_group3_loop19_group3_bb36 ========== + __t30 := true + // [mir] StorageDead(_69) + // [mir] _66 = Board::available(move _67, move _68) -> [return: bb37, unwind: bb92] + label l54 + assert true + exhale acc(_67.val_ref, write) && + (acc(struct$m_Board(_67.val_ref), write) && + acc(struct$m_Point(_68), write)) + _66 := builtin$havoc_ref() + inhale acc(struct$m_Board(old[l54](_67.val_ref)), write) + inhale acc(bool(_66), write) + inhale true + inhale (unfolding acc(bool(_66), write) in _66.val_bool) ==> + 0 <= + old[l54]((unfolding acc(struct$m_Point(_68), write) in + (unfolding acc(i32(_68.f$x), write) in _68.f$x.val_int))) && + (old[l54]((unfolding acc(struct$m_Point(_68), write) in + (unfolding acc(i32(_68.f$x), write) in _68.f$x.val_int))) < + f_size__$TY$__$int$() && + (0 <= + old[l54]((unfolding acc(struct$m_Point(_68), write) in + (unfolding acc(i32(_68.f$y), write) in _68.f$y.val_int))) && + old[l54]((unfolding acc(struct$m_Point(_68), write) in + (unfolding acc(i32(_68.f$y), write) in _68.f$y.val_int))) < + f_size__$TY$__$int$())) + label l55 + // ========== l56 ========== + // MIR edge bb36 --> bb37 + // Expire borrows + // expire_borrows ReborrowingDAG(L39,L13,) + + // ========== loop7_group3_loop19_group3_bb37 ========== + __t31 := true + // [mir] StorageDead(_68) + // [mir] StorageDead(_67) + // [mir] switchInt(move _66) -> [0: bb42, otherwise: bb38] + unfold acc(bool(_66), write) + __t97 := _66.val_bool + if (!__t97) { + goto loop7_group1_bb7 + } + goto loop7_start + + label l12 + // ========== l22 ========== + // MIR edge bb8 --> bb85 + goto end_of_method + + label l19 + // ========== l81 ========== + // MIR edge bb20 --> bb46 + // ========== l156 ========== + // drop Acc(_64.val_ref, write) (Acc(_64.val_ref, write)) + // drop Acc(_51.val_bool, write) (Acc(_51.val_bool, write)) + // drop Acc(_80.val_int, write) (Acc(_80.val_int, write)) + // drop Acc(_79.tuple_1.val_bool, write) (Acc(_79.tuple_1.val_bool, write)) + // drop Acc(old[l77](_82.val_ref), write) (Acc(old[l77](_82.val_ref), write)) + // drop Acc(_82.val_ref, write) (Acc(_82.val_ref, write)) + // drop Acc(_66.val_bool, write) (Acc(_66.val_bool, write)) + // drop Acc(_79.tuple_0, write) (Acc(_79.tuple_0, write)) + // drop Acc(_81.val_int, write) (Acc(_81.val_int, write)) + // drop Acc(_46.val_bool, write) (Acc(_46.val_bool, write)) + // drop Acc(_42.val_bool, write) (Acc(_42.val_bool, write)) + // drop Acc(_55.val_bool, write) (Acc(_55.val_bool, write)) + // drop Pred(_58, write) (Pred(_58, write)) + // drop Acc(_79.tuple_1, write) (Acc(_79.tuple_1, write)) + goto l20 + + label l20 + // ========== loop7_group3_bb46 ========== + __t40 := true + // [mir] StorageLive(_84) + // [mir] _39 = const () + // [mir] StorageDead(_84) + // [mir] StorageDead(_40) + // [mir] StorageDead(_39) + // [mir] StorageLive(_86) + // [mir] _86 = const 0_usize + _86 := builtin$havoc_ref() + inhale acc(_86.val_int, write) + _86.val_int := 0 + // [mir] FakeRead(ForLet(None), _86) + // [mir] StorageLive(_87) + // [mir] StorageLive(_88) + // [mir] _88 = _86 + _88 := builtin$havoc_int() + _88 := _86.val_int + label l83 + // [mir] StorageLive(_89) + // [mir] StorageLive(_90) + // [mir] _90 = &_32 + _90 := builtin$havoc_ref() + inhale acc(_90.val_ref, write) + _90.val_ref := _32 + exhale acc(struct$m_VecCandidates(_32), write - read$()) + inhale acc(struct$m_VecCandidates(_90.val_ref), read$()) + label l84 + // [mir] _89 = VecCandidates::len(move _90) -> [return: bb48, unwind: bb92] + label l85 + _89 := builtin$havoc_int() + inhale _89 >= 0 + inhale _89 == + f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_90.val_ref)) + // transfer perm _90.val_ref --> old[l85](_90.val_ref) // unchecked: false + // ========== l86 ========== + // MIR edge bb46 --> bb48 + // Expire borrows + // expire_borrows ReborrowingDAG(L38,L19,) + + if (__t40 && __t40) { + // expire loan L19 + // transfer perm old[l85](_90.val_ref) --> old[l84](_90.val_ref) // unchecked: false + exhale acc(struct$m_VecCandidates(old[l84](_90.val_ref)), read$()) + inhale acc(struct$m_VecCandidates(_32), write - read$()) + } + // ========== loop7_group3_bb48 ========== + __t41 := true + // [mir] StorageDead(_90) + // [mir] _87 = Lt(move _88, move _89) + _87 := builtin$havoc_ref() + inhale acc(_87.val_bool, write) + inhale _89 >= 0 + _87.val_bool := _88 < _89 + // [mir] StorageDead(_89) + // [mir] StorageDead(_88) + // [mir] FakeRead(ForLet(None), _87) + // [mir] StorageLive(_91) + // [mir] _91 = std::option::Option::<(i32, Point)>::None + _91 := builtin$havoc_ref() + inhale acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) + inhale m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(_91) == + 0 + // [mir] FakeRead(ForLet(None), _91) + // [mir] StorageLive(_92) + // [mir] StorageLive(_93) + // [mir] _93 = size() -> [return: bb49, unwind: bb92] + label l87 + _93 := builtin$havoc_ref() + inhale acc(i32(_93), write) + inhale (unfolding acc(i32(_93), write) in _93.val_int) == + f_size__$TY$__$int$() + // ========== loop7_group3_bb49 ========== + __t42 := true + // [mir] StorageLive(_94) + // [mir] _94 = size() -> [return: bb50, unwind: bb92] + label l88 + _94 := builtin$havoc_ref() + inhale acc(i32(_94), write) + inhale (unfolding acc(i32(_94), write) in _94.val_int) == + f_size__$TY$__$int$() + // ========== loop7_group3_bb50 ========== + __t43 := true + // [mir] _95 = CheckedMul(_93, _94) + _95 := builtin$havoc_ref() + inhale acc(_95.tuple_0, write) + inhale acc(_95.tuple_0.val_int, write) + inhale acc(_95.tuple_1, write) + inhale acc(_95.tuple_1.val_bool, write) + unfold acc(i32(_93), write) + unfold acc(i32(_94), write) + _95.tuple_0.val_int := _93.val_int * _94.val_int + _95.tuple_1.val_bool := false + // [mir] assert(!move (_95.1: bool), "attempt to compute `{} * {}`, which would overflow", move _93, move _94) -> [success: bb51, unwind: bb92] + __t101 := _95.tuple_1.val_bool + // Rust assertion: attempt to multiply with overflow + assert !__t101 + // ========== loop7_group3_bb51 ========== + __t44 := true + // [mir] _92 = move (_95.0: i32) + _92 := _95.tuple_0 + label l89 + // [mir] StorageDead(_94) + // [mir] StorageDead(_93) + // [mir] FakeRead(ForLet(None), _92) + // [mir] StorageLive(_96) + // [mir] goto -> bb52 + // ========== loop7_group3_loop52_start ========== + // ========== loop7_group3_loop52_group1_bb52 ========== + // This is a loop head + __t45 := true + // [mir] falseUnwind -> [real: bb53, unwind: bb92] + // ========== loop7_group3_loop52_group1_bb53 ========== + __t46 := true + // [mir] StorageLive(_97) + // [mir] _97 = _87 + _97 := builtin$havoc_ref() + inhale acc(_97.val_bool, write) + _97.val_bool := _87.val_bool + label l90 + // [mir] switchInt(move _97) -> [0: bb70, otherwise: bb54] + __t102 := _97.val_bool + if (__t102) { + goto loop7_inv_pre + } + goto loop7_group2_bb9 + + label l22 + // ========== loop7_group3_loop52_group3_bb67 ========== + __t57 := true + // [mir] StorageDead(_117) + // [mir] StorageDead(_116) + // [mir] _125 = CheckedAdd(_86, const 1_usize) + _125 := builtin$havoc_ref() + inhale acc(_125.tuple_0, write) + inhale acc(_125.tuple_0.val_int, write) + inhale acc(_125.tuple_1, write) + inhale acc(_125.tuple_1.val_bool, write) + _125.tuple_0.val_int := _86.val_int + 1 + _125.tuple_1.val_bool := false + // [mir] assert(!move (_125.1: bool), "attempt to compute `{} + {}`, which would overflow", _86, const 1_usize) -> [success: bb68, unwind: bb92] + __t109 := _125.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t109 + // ========== loop7_group3_loop52_group3_bb68 ========== + __t58 := true + // [mir] _86 = move (_125.0: usize) + _86 := _125.tuple_0 + label l115 + // [mir] StorageLive(_126) + // [mir] _126 = _86 + _126 := builtin$havoc_int() + _126 := _86.val_int + label l116 + // [mir] StorageLive(_127) + // [mir] StorageLive(_128) + // [mir] _128 = &_32 + _128 := builtin$havoc_ref() + inhale acc(_128.val_ref, write) + _128.val_ref := _32 + exhale acc(struct$m_VecCandidates(_32), write - read$()) + inhale acc(struct$m_VecCandidates(_128.val_ref), read$()) + label l117 + // [mir] _127 = VecCandidates::len(move _128) -> [return: bb69, unwind: bb92] + label l118 + _127 := builtin$havoc_int() + inhale _127 >= 0 + inhale _127 == + f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_128.val_ref)) + // transfer perm _128.val_ref --> old[l118](_128.val_ref) // unchecked: false + // ========== l119 ========== + // MIR edge bb68 --> bb69 + // Expire borrows + // expire_borrows ReborrowingDAG(L41,L25,) + + if (__t58 && __t58) { + // expire loan L25 + // transfer perm old[l118](_128.val_ref) --> old[l117](_128.val_ref) // unchecked: false + exhale acc(struct$m_VecCandidates(old[l117](_128.val_ref)), read$()) + inhale acc(struct$m_VecCandidates(_32), write - read$()) + } + // ========== loop7_group3_loop52_group3_bb69 ========== + __t59 := true + // [mir] StorageDead(_128) + // [mir] _87 = Lt(move _126, move _127) + inhale _127 >= 0 + _87.val_bool := _126 < _127 + // [mir] StorageDead(_127) + // [mir] StorageDead(_126) + // [mir] _22 = const () + // [mir] StorageDead(_112) + // [mir] StorageDead(_111) + // [mir] StorageDead(_97) + // [mir] goto -> bb52 + // ========== loop7_group3_loop52_group4_bb52 ========== + // This is a loop head + __t45 := true + // [mir] falseUnwind -> [real: bb53, unwind: bb92] + // ========== loop7_group3_loop52_group4_bb53 ========== + __t46 := true + // [mir] StorageLive(_97) + // [mir] _97 = _87 + _97 := builtin$havoc_ref() + inhale acc(_97.val_bool, write) + _97.val_bool := _87.val_bool + label l120 + // [mir] switchInt(move _97) -> [0: bb70, otherwise: bb54] + __t110 := _97.val_bool + if (__t110) { + goto l34 + } + goto l23 + + label l23 + // ========== l121 ========== + // MIR edge bb53 --> bb70 + // ========== l159 ========== + // drop Acc(_113.tuple_0.val_int, write) (Acc(_113.tuple_0.val_int, write)) + // drop Acc(_125.tuple_0, write) (Acc(_125.tuple_0, write)) + // drop Acc(_113.tuple_1, write) (Acc(_113.tuple_1, write)) + // drop Acc(_111.val_int, write) (Acc(_111.val_int, write)) + // drop Acc(_99.val_bool, write) (Acc(_99.val_bool, write)) + // drop Acc(_128.val_ref, write) (Acc(_128.val_ref, write)) + // drop Acc(_126.val_int, write) (Acc(_126.val_int, write)) + // drop Acc(_108.val_bool, write) (Acc(_108.val_bool, write)) + // drop Acc(_118.val_int, write) (Acc(_118.val_int, write)) + // drop Acc(old[l117](_128.val_ref), write) (Acc(old[l117](_128.val_ref), write)) + // drop Acc(_117.val_bool, write) (Acc(_117.val_bool, write)) + // drop Acc(_119.val_int, write) (Acc(_119.val_int, write)) + // drop Acc(_103.val_bool, write) (Acc(_103.val_bool, write)) + // drop Acc(_125.tuple_1.val_bool, write) (Acc(_125.tuple_1.val_bool, write)) + // drop Acc(_127.val_int, write) (Acc(_127.val_int, write)) + // drop Acc(_113.tuple_0, write) (Acc(_113.tuple_0, write)) + // drop Acc(_125.tuple_1, write) (Acc(_125.tuple_1, write)) + goto loop7_group2b_bb9 + + label l31 + // ========== l146 ========== + // MIR edge bb8 --> bb85 + // ========== l163 ========== + // drop Acc(_88.val_int, write) (Acc(_88.val_int, write)) + // drop Acc(_40.val_bool, write) (Acc(_40.val_bool, write)) + // drop Acc(_148.tuple_1.val_bool, write) (Acc(_148.tuple_1.val_bool, write)) + // drop Acc(_145.val_int, write) (Acc(_145.val_int, write)) + // drop Acc(_36.val_int, write) (Acc(_36.val_int, write)) + // drop Acc(_147.val_int, write) (Acc(_147.val_int, write)) + // drop Acc(old[l84](_90.val_ref), write) (Acc(old[l84](_90.val_ref), write)) + // drop Acc(_94.val_int, write) (Acc(_94.val_int, write)) + // drop Acc(_146.val_int, write) (Acc(_146.val_int, write)) + // drop Acc(_141.tuple_1.val_bool, write) (Acc(_141.tuple_1.val_bool, write)) + // drop Acc(_38.val_ref, write) (Acc(_38.val_ref, write)) + // drop Acc(_35.val_bool, write) (Acc(_35.val_bool, write)) + // drop Acc(_92.val_int, write) (Acc(_92.val_int, write)) + // drop Acc(_90.val_ref, write) (Acc(_90.val_ref, write)) + // drop Acc(_144.val_int, write) (Acc(_144.val_int, write)) + // drop Acc(old[l29](_38.val_ref), write) (Acc(old[l29](_38.val_ref), write)) + // drop Acc(_93.val_int, write) (Acc(_93.val_int, write)) + // drop Acc(_148.tuple_0, write) (Acc(_148.tuple_0, write)) + // drop Acc(_95.tuple_0, write) (Acc(_95.tuple_0, write)) + // drop Acc(_95.tuple_1.val_bool, write) (Acc(_95.tuple_1.val_bool, write)) + // drop Acc(_89.val_int, write) (Acc(_89.val_int, write)) + // drop Acc(_143.val_bool, write) (Acc(_143.val_bool, write)) + // drop Acc(_97.val_bool, write) (Acc(_97.val_bool, write)) + // drop Acc(_133.val_int, write) (Acc(_133.val_int, write)) + // drop Acc(_25.val_bool, write) (Acc(_25.val_bool, write)) + // drop Acc(_29.val_bool, write) (Acc(_29.val_bool, write)) + // drop Acc(_37.val_int, write) (Acc(_37.val_int, write)) + // drop Acc(_87.val_bool, write) (Acc(_87.val_bool, write)) + // drop Acc(_141.tuple_0, write) (Acc(_141.tuple_0, write)) + // drop Acc(_86.val_int, write) (Acc(_86.val_int, write)) + // drop Acc(_34.val_int, write) (Acc(_34.val_int, write)) + // drop Pred(_33, write) (Pred(_33, write)) + // drop Pred(_32, write) (Pred(_32, write)) + // drop Pred(_136, write) (Pred(_136, write)) + // drop Acc(_141.tuple_1, write) (Acc(_141.tuple_1, write)) + // drop Acc(_95.tuple_1, write) (Acc(_95.tuple_1, write)) + // drop Acc(_148.tuple_1, write) (Acc(_148.tuple_1, write)) + goto loop7_group3_bb18 + + label l33 + // ========== l147 ========== + // MIR edge bb8 --> bb9 + // ========== loop7_group5_bb9 ========== + __t9 := true + // [mir] StorageLive(_24) + // [mir] StorageLive(_25) + // [mir] _25 = const false + _25 := builtin$havoc_ref() + inhale acc(_25.val_bool, write) + _25.val_bool := false + // [mir] switchInt(move _25) -> [0: bb11, otherwise: bb10] + __t117 := _25.val_bool + // Ignore default target bb10, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb7) + fold acc(bool(_8), write) + // obtain acc(bool(_8), write) + fold acc(i32(_4.f$y), write) + fold acc(i32(_4.f$x), write) + fold acc(struct$m_Point(_4), write) + // obtain acc(struct$m_Point(_4), write) + fold acc(i32(_7), write) + // obtain acc(i32(_7), write) + fold acc(bool(_15), write) + // obtain acc(bool(_15), write) + fold acc(struct$m_Board(_3), write) + // obtain acc(struct$m_Board(_3), write) + assert 0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) < + f_size__$TY$__$int$()) + assert true + exhale acc(bool(_8), write) && + (acc(struct$m_Point(_4), write) && + (acc(i32(_7), write) && + (acc(bool(_15), write) && acc(struct$m_Board(_3), write)))) + inhale false + goto end_of_method + + label l34 + // ========== l122 ========== + // MIR edge bb53 --> bb54 + // ========== loop7_group3_loop52_group5_bb54 ========== + __t47 := true + // [mir] StorageLive(_98) + // [mir] StorageLive(_99) + // [mir] _99 = const false + _99 := builtin$havoc_ref() + inhale acc(_99.val_bool, write) + _99.val_bool := false + // [mir] switchInt(move _99) -> [0: bb56, otherwise: bb55] + __t111 := _99.val_bool + // Ignore default target bb55, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop52_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb52) + fold acc(i32(_92), write) + // obtain acc(i32(_92), write) + // obtain acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) + fold acc(usize(_86), write) + // obtain acc(usize(_86), write) + fold acc(bool(_87), write) + // obtain acc(bool(_87), write) + // obtain acc(struct$m_VecCandidates(_32), write) + assert 0 <= (unfolding acc(usize(_86), write) in _86.val_int) && + ((unfolding acc(usize(_86), write) in _86.val_int) < + f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_32)) && + f_valid__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$bool$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91))) + assert true + exhale acc(i32(_92), write) && + (acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) && + (acc(usize(_86), write) && + (acc(bool(_87), write) && acc(struct$m_VecCandidates(_32), write)))) + inhale false + goto end_of_method + + label loop7_group1_bb7 + // ========== l58 ========== + // MIR edge bb37 --> bb42 + // ========== loop7_group3_loop19_group3_bb42 ========== + __t36 := true + // [mir] _65 = const () + // [mir] goto -> bb43 + // ========== l155 ========== + // drop Pred(_61, write) (Pred(_61, write)) + goto loop7_group1_bb8 + + label loop7_group1_bb8 + // ========== loop7_group3_loop19_group3_bb43 ========== + __t37 := true + // [mir] StorageDead(_66) + // [mir] StorageDead(_65) + // [mir] _79 = CheckedAdd(_34, const 1_usize) + _79 := builtin$havoc_ref() + inhale acc(_79.tuple_0, write) + inhale acc(_79.tuple_0.val_int, write) + inhale acc(_79.tuple_1, write) + inhale acc(_79.tuple_1.val_bool, write) + _79.tuple_0.val_int := _34.val_int + 1 + _79.tuple_1.val_bool := false + // [mir] assert(!move (_79.1: bool), "attempt to compute `{} + {}`, which would overflow", _34, const 1_usize) -> [success: bb44, unwind: bb92] + __t98 := _79.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t98 + // ========== loop7_group3_loop19_group3_bb44 ========== + __t38 := true + // [mir] _34 = move (_79.0: usize) + _34 := _79.tuple_0 + label l75 + // [mir] StorageLive(_80) + // [mir] _80 = _34 + _80 := builtin$havoc_int() + _80 := _34.val_int + label l76 + // [mir] StorageLive(_81) + // [mir] StorageLive(_82) + // [mir] _82 = &_33 + _82 := builtin$havoc_ref() + inhale acc(_82.val_ref, write) + _82.val_ref := _33 + exhale acc(struct$m_VecWrapperI32I32(_33), write - read$()) + inhale acc(struct$m_VecWrapperI32I32(_82.val_ref), read$()) + label l77 + // [mir] _81 = VecWrapperI32I32::len(move _82) -> [return: bb45, unwind: bb92] + label l78 + _81 := builtin$havoc_int() + inhale _81 >= 0 + inhale _81 == + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_82.val_ref)) + // transfer perm _82.val_ref --> old[l78](_82.val_ref) // unchecked: false + // ========== l79 ========== + // MIR edge bb44 --> bb45 + // Expire borrows + // expire_borrows ReborrowingDAG(L40,L18,) + + if (__t38 && __t38) { + // expire loan L18 + // transfer perm old[l78](_82.val_ref) --> old[l77](_82.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32I32(old[l77](_82.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32I32(_33), write - read$()) + } + // ========== loop7_group3_loop19_group3_bb45 ========== + __t39 := true + // [mir] StorageDead(_82) + // [mir] _35 = Lt(move _80, move _81) + inhale _81 >= 0 + _35.val_bool := _80 < _81 + // [mir] StorageDead(_81) + // [mir] StorageDead(_80) + // [mir] _22 = const () + // [mir] StorageDead(_61) + // [mir] StorageDead(_58) + // [mir] StorageDead(_40) + // [mir] goto -> bb19 + // ========== loop7_group3_loop19_group4_bb19 ========== + // This is a loop head + __t17 := true + // [mir] falseUnwind -> [real: bb20, unwind: bb92] + // ========== loop7_group3_loop19_group4_bb20 ========== + __t18 := true + // [mir] StorageLive(_40) + // [mir] _40 = _35 + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + _40.val_bool := _35.val_bool + label l80 + // [mir] switchInt(move _40) -> [0: bb46, otherwise: bb21] + __t99 := _40.val_bool + if (__t99) { + goto loop7_group3_loop19_group2_bb21 + } + goto l19 + + label loop7_group2_bb9 + // ========== l91 ========== + // MIR edge bb53 --> bb70 + goto loop7_group2b_bb9 + + label loop7_group2a_bb7 + // ========== l105 ========== + // MIR edge bb64 --> bb65 + // ========== loop7_group3_loop52_group3_bb65 ========== + __t55 := true + // [mir] StorageLive(_120) + // [mir] _120 = _111 + _120 := builtin$havoc_ref() + inhale acc(_120.val_int, write) + _120.val_int := _111 + label l107 + // [mir] _92 = move _120 + _92 := _120 + label l108 + // [mir] StorageDead(_120) + // [mir] StorageLive(_121) + // [mir] StorageLive(_122) + // [mir] StorageLive(_123) + // [mir] _123 = _111 + _123 := builtin$havoc_ref() + inhale acc(_123.val_int, write) + _123.val_int := _111 + label l109 + // [mir] StorageLive(_124) + // [mir] _124 = move _112 + _124 := _112 + label l110 + // [mir] _122 = (move _123, move _124) + _122 := builtin$havoc_ref() + inhale acc(tuple2$i32$struct$m_Point(_122), write) + unfold acc(tuple2$i32$struct$m_Point(_122), write) + _122.tuple_0 := _123 + label l111 + _122.tuple_1 := _124 + label l112 + // [mir] StorageDead(_124) + // [mir] StorageDead(_123) + // [mir] _121 = std::option::Option::<(i32, Point)>::Some(move _122) + _121 := builtin$havoc_ref() + inhale acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_121), write) + inhale m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(_121) == + 1 + // downcast _121 to enum_Some + + unfold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_121), write) + unfold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(_121.enum_Some), write) + _121.enum_Some.f$0 := _122 + label l113 + // [mir] StorageDead(_122) + // [mir] _91 = move _121 + _91 := _121 + label l114 + // [mir] StorageDead(_121) + // [mir] _116 = const () + // [mir] goto -> bb67 + // ========== l157 ========== + fold acc(i32(_91.enum_Some.f$0.tuple_0), write) + fold acc(tuple2$i32$struct$m_Point(_91.enum_Some.f$0), write) + fold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(_91.enum_Some), write) + fold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) + goto l22 + + label loop7_group2a_bb8 + // ========== l106 ========== + // MIR edge bb64 --> bb66 + // ========== loop7_group3_loop52_group3_bb66 ========== + __t56 := true + // [mir] _116 = const () + // [mir] goto -> bb67 + // ========== l158 ========== + // drop Pred(_112, write) (Pred(_112, write)) + goto l22 + + label loop7_group2b_bb9 + // ========== loop7_group3_bb70 ========== + __t60 := true + // [mir] StorageLive(_130) + // [mir] _96 = const () + // [mir] StorageDead(_130) + // [mir] StorageDead(_97) + // [mir] StorageDead(_96) + // [mir] StorageLive(_132) + // [mir] FakeRead(ForMatchedPlace(None), _91) + // [mir] _133 = discriminant(_91) + _133 := builtin$havoc_int() + _133 := m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(_91) + // [mir] switchInt(move _133) -> [0: bb71, 1: bb72, otherwise: bb47] + __t112 := _133 + // Ignore default target bb47, as the compiler marked it as unreachable. + if (__t112 == 0) { + goto loop7_group3_bb12 + } + goto loop7_group3_bb11 + + label loop7_group3_bb11 + // ========== l123 ========== + // MIR edge bb70 --> bb72 + // ========== loop7_group3_bb72 ========== + __t61 := true + // [mir] falseEdge -> [real: bb73, imaginary: bb71] + // ========== loop7_group3_bb73 ========== + __t62 := true + // [mir] StorageLive(_134) + // [mir] _134 = move (((_91 as Some).0: (i32, Point)).1: Point) + unfold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) + unfold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(_91.enum_Some), write) + unfold acc(tuple2$i32$struct$m_Point(_91.enum_Some.f$0), write) + _134 := _91.enum_Some.f$0.tuple_1 + label l125 + // [mir] StorageLive(_135) + // [mir] _135 = move _134 + _135 := _134 + label l126 + // [mir] _4 = move _135 + _4 := _135 + label l127 + // [mir] StorageDead(_135) + // [mir] _132 = const () + // [mir] StorageDead(_134) + // [mir] goto -> bb74 + // ========== l160 ========== + // drop Acc(_91[enum_Some], write) (Pred(_91[enum_Some].f$0.tuple_1, write)) + // drop Acc(_91.discriminant, write) (Pred(_91[enum_Some].f$0.tuple_1, write)) + // drop Acc(_91[enum_Some].f$0.tuple_0, write) (Pred(_91[enum_Some].f$0.tuple_1, write)) + // drop Acc(_91[enum_Some].f$0.tuple_1, write) (Pred(_91[enum_Some].f$0.tuple_1, write)) + // drop Acc(_91[enum_Some].f$0, write) (Pred(_91[enum_Some].f$0.tuple_1, write)) + // drop Pred(_91[enum_Some].f$0.tuple_0, write) (Pred(_91[enum_Some].f$0.tuple_1, write)) + unfold acc(bool(_8), write) + goto loop7_group3_bb14 + + label loop7_group3_bb12 + // ========== l124 ========== + // MIR edge bb70 --> bb71 + // ========== loop7_group3_bb71 ========== + __t63 := true + // [mir] _8 = const true + unfold acc(bool(_8), write) + _8.val_bool := true + // [mir] _132 = const () + // [mir] goto -> bb74 + // ========== l161 ========== + // drop Pred(_91, write) (Pred(_91[enum_Some].f$0.tuple_1, write)) + goto loop7_group3_bb14 + + label loop7_group3_bb14 + // ========== loop7_group3_bb74 ========== + __t64 := true + // [mir] StorageDead(_132) + // [mir] StorageLive(_136) + // [mir] StorageLive(_137) + // [mir] _137 = &mut (_3.0: VecVecWrapperI32) + _137 := builtin$havoc_ref() + inhale acc(_137.val_ref, write) + unfold acc(struct$m_Board(_3), write) + _137.val_ref := _3.f$field + label l128 + // [mir] StorageLive(_138) + // [mir] _138 = (_4.0: i32) + _138 := builtin$havoc_ref() + inhale acc(_138.val_int, write) + unfold acc(struct$m_Point(_4), write) + unfold acc(i32(_4.f$x), write) + _138.val_int := _4.f$x.val_int + label l129 + // [mir] StorageLive(_139) + // [mir] _139 = (_4.1: i32) + _139 := builtin$havoc_ref() + inhale acc(_139.val_int, write) + unfold acc(i32(_4.f$y), write) + _139.val_int := _4.f$y.val_int + label l130 + // [mir] StorageLive(_140) + // [mir] _140 = _7 + _140 := builtin$havoc_ref() + inhale acc(_140.val_int, write) + unfold acc(i32(_7), write) + _140.val_int := _7.val_int + label l131 + // [mir] _136 = VecVecWrapperI32::store(move _137, move _138, move _139, move _140) -> [return: bb75, unwind: bb92] + label l132 + assert 0 <= _138.val_int && _138.val_int < f_size__$TY$__$int$() && + (0 <= _139.val_int && _139.val_int < f_size__$TY$__$int$()) + assert true + fold acc(i32(_138), write) + fold acc(i32(_139), write) + fold acc(i32(_140), write) + exhale acc(_137.val_ref, write) && + (acc(struct$m_VecVecWrapperI32(_137.val_ref), write) && + (acc(i32(_138), write) && + (acc(i32(_139), write) && acc(i32(_140), write)))) + _136 := builtin$havoc_ref() + inhale acc(struct$m_VecVecWrapperI32(old[l132](_137.val_ref)), write) + inhale acc(tuple0$(_136), write) + inhale true + inhale f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(old[l132](_137.val_ref)), + old[l132](_138.val_int), old[l132](_139.val_int)) == + old[l132](_140.val_int) && + (forall _0_quant_0: Int, _1_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < f_size__$TY$__$int$()) || + (_0_quant_0 == old[l132](_138.val_int) || + (!(0 <= _1_quant_0) || + (!(_1_quant_0 < f_size__$TY$__$int$()) || + (!(_1_quant_0 == old[l132](_139.val_int)) ==> + f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(old[l132](_137.val_ref)), + _0_quant_0, _1_quant_0) == + old[l132](f_VecVecWrapperI32$$lookup__$TY$__Snap$struct$m_VecVecWrapperI32$$int$$$int$$$int$(snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(_137.val_ref), + _0_quant_0, _1_quant_0)))))))) + label l133 + // ========== l134 ========== + // MIR edge bb74 --> bb75 + // Expire borrows + // expire_borrows ReborrowingDAG(L34,L26,) + + // ========== loop7_group3_bb75 ========== + __t65 := true + // [mir] StorageDead(_140) + // [mir] StorageDead(_139) + // [mir] StorageDead(_138) + // [mir] StorageDead(_137) + // [mir] StorageDead(_136) + // [mir] _141 = CheckedAdd(_7, const 1_i32) + _141 := builtin$havoc_ref() + inhale acc(_141.tuple_0, write) + inhale acc(_141.tuple_0.val_int, write) + inhale acc(_141.tuple_1, write) + inhale acc(_141.tuple_1.val_bool, write) + _141.tuple_0.val_int := _7.val_int + 1 + _141.tuple_1.val_bool := false + // [mir] assert(!move (_141.1: bool), "attempt to compute `{} + {}`, which would overflow", _7, const 1_i32) -> [success: bb76, unwind: bb92] + __t113 := _141.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t113 + // ========== loop7_group3_bb76 ========== + __t66 := true + // [mir] _7 = move (_141.0: i32) + _7 := _141.tuple_0 + label l135 + // [mir] StorageLive(_142) + // [mir] StorageLive(_143) + // [mir] StorageLive(_144) + // [mir] _144 = _7 + _144 := builtin$havoc_int() + _144 := _7.val_int + label l136 + // [mir] StorageLive(_145) + // [mir] StorageLive(_146) + // [mir] _146 = size() -> [return: bb80, unwind: bb92] + label l137 + _146 := builtin$havoc_ref() + inhale acc(i32(_146), write) + inhale (unfolding acc(i32(_146), write) in _146.val_int) == + f_size__$TY$__$int$() + // ========== loop7_group3_bb80 ========== + __t67 := true + // [mir] StorageLive(_147) + // [mir] _147 = size() -> [return: bb81, unwind: bb92] + label l138 + _147 := builtin$havoc_ref() + inhale acc(i32(_147), write) + inhale (unfolding acc(i32(_147), write) in _147.val_int) == + f_size__$TY$__$int$() + // ========== loop7_group3_bb81 ========== + __t68 := true + // [mir] _148 = CheckedMul(_146, _147) + _148 := builtin$havoc_ref() + inhale acc(_148.tuple_0, write) + inhale acc(_148.tuple_0.val_int, write) + inhale acc(_148.tuple_1, write) + inhale acc(_148.tuple_1.val_bool, write) + unfold acc(i32(_146), write) + unfold acc(i32(_147), write) + _148.tuple_0.val_int := _146.val_int * _147.val_int + _148.tuple_1.val_bool := false + // [mir] assert(!move (_148.1: bool), "attempt to compute `{} * {}`, which would overflow", move _146, move _147) -> [success: bb82, unwind: bb92] + __t114 := _148.tuple_1.val_bool + // Rust assertion: attempt to multiply with overflow + assert !__t114 + // ========== loop7_group3_bb82 ========== + __t69 := true + // [mir] _145 = move (_148.0: i32) + _145 := _148.tuple_0 + label l139 + // [mir] StorageDead(_147) + // [mir] StorageDead(_146) + // [mir] _143 = Le(move _144, move _145) + _143 := builtin$havoc_ref() + inhale acc(_143.val_bool, write) + _143.val_bool := _144 <= _145.val_int + // [mir] StorageDead(_145) + // [mir] StorageDead(_144) + // [mir] switchInt(move _143) -> [0: bb77, otherwise: bb78] + __t115 := _143.val_bool + if (!__t115) { + goto loop7_group3_bb16 + } + goto loop7_group3_bb15 + + label loop7_group3_bb15 + // ========== l140 ========== + // MIR edge bb82 --> bb78 + // ========== loop7_group3_bb78 ========== + __t70 := true + // [mir] StorageLive(_149) + // [mir] StorageLive(_150) + // [mir] _150 = _8 + _150 := builtin$havoc_ref() + inhale acc(_150.val_bool, write) + _150.val_bool := _8.val_bool + label l142 + // [mir] _149 = Not(move _150) + _149 := builtin$havoc_ref() + inhale acc(_149.val_bool, write) + _149.val_bool := !_150.val_bool + // [mir] StorageDead(_150) + // [mir] _142 = move _149 + _142 := _149 + label l143 + // [mir] goto -> bb79 + // ========== l162 ========== + // drop Acc(_150.val_bool, write) (Acc(_150.val_bool, write)) + goto loop7_group3_bb17 + + label loop7_group3_bb16 + // ========== l141 ========== + // MIR edge bb82 --> bb77 + // ========== loop7_group3_bb77 ========== + __t71 := true + // [mir] _142 = const false + _142 := builtin$havoc_ref() + inhale acc(_142.val_bool, write) + _142.val_bool := false + // [mir] goto -> bb79 + goto loop7_group3_bb17 + + label loop7_group3_bb17 + // ========== loop7_group3_bb79 ========== + __t72 := true + // [mir] StorageDead(_149) + // [mir] StorageDead(_143) + // [mir] _15 = move _142 + _15 := _142 + label l144 + // [mir] StorageDead(_142) + // [mir] _22 = const () + // [mir] StorageDead(_92) + // [mir] StorageDead(_91) + // [mir] StorageDead(_87) + // [mir] StorageDead(_86) + // [mir] StorageDead(_35) + // [mir] StorageDead(_34) + // [mir] drop(_33) -> [return: bb83, unwind: bb93] + // ========== loop7_group3_bb83 ========== + __t73 := true + // [mir] StorageDead(_33) + // [mir] drop(_32) -> [return: bb84, unwind: bb94] + // ========== loop7_group3_bb84 ========== + __t74 := true + // [mir] StorageDead(_32) + // [mir] StorageDead(_23) + // [mir] goto -> bb7 + // ========== loop7_group4_bb7 ========== + // This is a loop head + __t7 := true + // [mir] falseUnwind -> [real: bb8, unwind: bb94] + // ========== loop7_group4_bb8 ========== + __t8 := true + // [mir] StorageLive(_23) + // [mir] _23 = _15 + _23 := builtin$havoc_ref() + inhale acc(_23.val_bool, write) + _23.val_bool := _15.val_bool + label l145 + // [mir] switchInt(move _23) -> [0: bb85, otherwise: bb9] + __t116 := _23.val_bool + if (__t116) { + goto l33 + } + goto l31 + + label loop7_group3_bb18 + // ========== bb85 ========== + __t76 := true + // [mir] StorageLive(_152) + // [mir] _21 = const () + // [mir] StorageDead(_152) + // [mir] StorageDead(_23) + // [mir] StorageDead(_21) + // [mir] StorageLive(_154) + // [mir] _154 = _8 + _154 := builtin$havoc_ref() + inhale acc(_154.val_bool, write) + _154.val_bool := _8.val_bool + label l148 + // [mir] switchInt(move _154) -> [0: bb87, otherwise: bb86] + __t118 := _154.val_bool + if (!__t118) { + goto loop7_group3_loop19_group1_bb19 + } + goto loop7_group3_loop19_start + + label loop7_group3_loop19_group1_bb19 + // ========== l150 ========== + // MIR edge bb85 --> bb87 + // ========== bb87 ========== + __t79 := true + // [mir] StorageLive(_156) + // [mir] _156 = move _3 + _156 := _3 + label l151 + // [mir] _0 = std::option::Option::::Some(move _156) + _0 := builtin$havoc_ref() + inhale acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0), write) + inhale m_std$$option$$Option$_beg_$struct$m_Board$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(_0) == + 1 + // downcast _0 to enum_Some + + unfold acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0), write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(_0.enum_Some), write) + _0.enum_Some.f$0 := _156 + label l152 + // [mir] drop(_156) -> [return: bb88, unwind: bb94] + // ========== bb88 ========== + __t80 := true + // [mir] StorageDead(_156) + // [mir] StorageDead(_154) + // [mir] StorageDead(_15) + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] StorageDead(_4) + // [mir] drop(_3) -> [return: bb90, unwind: bb95] + // ========== bb90 ========== + __t81 := true + // [mir] StorageDead(_3) + // [mir] goto -> bb91 + // ========== l165 ========== + fold acc(struct$m_Board(_0.enum_Some.f$0), write) + fold acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(_0.enum_Some), write) + fold acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0), write) + goto loop7_group3_loop19_group1_bb20 + + label loop7_group3_loop19_group1_bb20 + // ========== bb91 ========== + __t82 := true + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l154 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + // obtain acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label loop7_group3_loop19_group2_bb21 + // ========== l82 ========== + // MIR edge bb20 --> bb21 + // ========== loop7_group3_loop19_group5_bb21 ========== + __t19 := true + // [mir] StorageLive(_41) + // [mir] StorageLive(_42) + // [mir] _42 = const false + _42 := builtin$havoc_ref() + inhale acc(_42.val_bool, write) + _42.val_bool := false + // [mir] switchInt(move _42) -> [0: bb23, otherwise: bb22] + __t100 := _42.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop19_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb19) + fold acc(usize(_34), write) + // obtain acc(usize(_34), write) + fold acc(bool(_35), write) + // obtain acc(bool(_35), write) + // obtain acc(struct$m_VecWrapperI32I32(_33), write) + // obtain acc(struct$m_Point(_4), write) + // obtain acc(struct$m_Board(_3), write) + // obtain acc(struct$m_VecCandidates(_32), write) + assert 0 <= (unfolding acc(usize(_34), write) in _34.val_int) && + ((unfolding acc(usize(_34), write) in _34.val_int) < + f_VecWrapperI32I32$$len__$TY$__Snap$struct$m_VecWrapperI32I32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32I32$struct$m_VecWrapperI32I32$Snap$struct$m_VecWrapperI32I32(_33)) && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$x), write) in _4.f$x.val_int)) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) && + (unfolding acc(struct$m_Point(_4), write) in + (unfolding acc(i32(_4.f$y), write) in _4.f$y.val_int)) < + f_size__$TY$__$int$()))) + assert true + exhale acc(usize(_34), write) && + (acc(bool(_35), write) && + (acc(struct$m_VecWrapperI32I32(_33), write) && + (acc(struct$m_Point(_4), write) && + (acc(struct$m_Board(_3), write) && + acc(struct$m_VecCandidates(_32), write))))) + inhale false + goto end_of_method + + label loop7_group3_loop19_start + // ========== l149 ========== + // MIR edge bb85 --> bb86 + // ========== bb86 ========== + __t77 := true + // [mir] _0 = std::option::Option::::None + _0 := builtin$havoc_ref() + inhale acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0), write) + inhale m_std$$option$$Option$_beg_$struct$m_Board$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(_0) == + 0 + // [mir] StorageDead(_154) + // [mir] StorageDead(_15) + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] StorageDead(_4) + // [mir] drop(_3) -> [return: bb89, unwind: bb95] + // ========== bb89 ========== + __t78 := true + // [mir] StorageDead(_3) + // [mir] goto -> bb91 + // ========== l164 ========== + // drop Pred(_3.f$field, write) (Pred(_3.f$field, write)) + // drop Acc(_3.f$field, write) (Acc(_3.f$field, write)) + goto loop7_group3_loop19_group1_bb20 + + label loop7_inv_post_fnspc + // ========== l95 ========== + // MIR edge bb53 --> bb54 + // ========== loop7_group3_loop52_group2b_bb54 ========== + __t47 := true + // [mir] StorageLive(_98) + // [mir] StorageLive(_99) + // [mir] _99 = const false + _99 := builtin$havoc_ref() + inhale acc(_99.val_bool, write) + _99.val_bool := false + // [mir] switchInt(move _99) -> [0: bb56, otherwise: bb55] + __t105 := _99.val_bool + // Ignore default target bb55, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop52_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb52 + inhale 0 <= (unfolding acc(usize(_86), write) in _86.val_int) && + ((unfolding acc(usize(_86), write) in _86.val_int) < + f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_32)) && + f_valid__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$bool$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91))) + // ========== loop7_group3_loop52_group3_bb56 ========== + __t48 := true + // [mir] _98 = const () + // [mir] goto -> bb57 + // ========== loop7_group3_loop52_group3_bb57 ========== + __t49 := true + // [mir] StorageDead(_99) + // [mir] StorageDead(_98) + // [mir] StorageLive(_102) + // [mir] StorageLive(_103) + // [mir] _103 = const false + _103 := builtin$havoc_ref() + inhale acc(_103.val_bool, write) + _103.val_bool := false + // [mir] switchInt(move _103) -> [0: bb59, otherwise: bb58] + __t106 := _103.val_bool + // Ignore default target bb58, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop52_group3_bb59 ========== + __t50 := true + // [mir] _102 = const () + // [mir] goto -> bb60 + // ========== loop7_group3_loop52_group3_bb60 ========== + __t51 := true + // [mir] StorageDead(_103) + // [mir] StorageDead(_102) + // [mir] StorageLive(_107) + // [mir] StorageLive(_108) + // [mir] _108 = const false + _108 := builtin$havoc_ref() + inhale acc(_108.val_bool, write) + _108.val_bool := false + // [mir] switchInt(move _108) -> [0: bb62, otherwise: bb61] + __t107 := _108.val_bool + // Ignore default target bb61, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop52_group3_bb62 ========== + __t52 := true + // [mir] _107 = const () + // [mir] goto -> bb63 + // ========== loop7_group3_loop52_group3_bb63 ========== + __t53 := true + // [mir] StorageDead(_108) + // [mir] StorageDead(_107) + // [mir] StorageLive(_113) + // [mir] StorageLive(_114) + // [mir] _114 = &mut _32 + _114 := builtin$havoc_ref() + inhale acc(_114.val_ref, write) + _114.val_ref := _32 + label l96 + // [mir] StorageLive(_115) + // [mir] _115 = _86 + _115 := builtin$havoc_int() + unfold acc(usize(_86), write) + _115 := _86.val_int + label l97 + // [mir] _113 = VecCandidates::lookup(move _114, move _115) -> [return: bb64, unwind: bb92] + label l98 + assert 0 <= _115 && + _115 < + f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_114.val_ref)) + assert true + assert _115 >= 0 + exhale acc(_114.val_ref, write) && + (acc(struct$m_VecCandidates(_114.val_ref), write) && _115 >= 0) + _113 := builtin$havoc_ref() + inhale acc(struct$m_VecCandidates(old[l98](_114.val_ref)), write) + inhale acc(tuple2$i32$struct$m_Point(_113), write) + inhale true + inhale 0 <= + (unfolding acc(tuple2$i32$struct$m_Point(_113), write) in + (unfolding acc(struct$m_Point(_113.tuple_1), write) in + (unfolding acc(i32(_113.tuple_1.f$x), write) in + _113.tuple_1.f$x.val_int))) && + (unfolding acc(tuple2$i32$struct$m_Point(_113), write) in + (unfolding acc(struct$m_Point(_113.tuple_1), write) in + (unfolding acc(i32(_113.tuple_1.f$x), write) in + _113.tuple_1.f$x.val_int))) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(tuple2$i32$struct$m_Point(_113), write) in + (unfolding acc(struct$m_Point(_113.tuple_1), write) in + (unfolding acc(i32(_113.tuple_1.f$y), write) in + _113.tuple_1.f$y.val_int))) && + (unfolding acc(tuple2$i32$struct$m_Point(_113), write) in + (unfolding acc(struct$m_Point(_113.tuple_1), write) in + (unfolding acc(i32(_113.tuple_1.f$y), write) in + _113.tuple_1.f$y.val_int))) < + f_size__$TY$__$int$()) + label l99 + // ========== l100 ========== + // MIR edge bb63 --> bb64 + // Expire borrows + // expire_borrows ReborrowingDAG(L42,L24,) + + // ========== loop7_group3_loop52_group3_bb64 ========== + __t54 := true + // [mir] StorageDead(_115) + // [mir] StorageDead(_114) + // [mir] PlaceMention(_113) + // [mir] StorageLive(_111) + // [mir] _111 = (_113.0: i32) + _111 := builtin$havoc_int() + unfold acc(tuple2$i32$struct$m_Point(_113), write) + unfold acc(i32(_113.tuple_0), write) + _111 := _113.tuple_0.val_int + label l101 + // [mir] StorageLive(_112) + // [mir] _112 = move (_113.1: Point) + _112 := _113.tuple_1 + label l102 + // [mir] StorageDead(_113) + // [mir] StorageLive(_116) + // [mir] StorageLive(_117) + // [mir] StorageLive(_118) + // [mir] _118 = _92 + _118 := builtin$havoc_int() + unfold acc(i32(_92), write) + _118 := _92.val_int + label l103 + // [mir] StorageLive(_119) + // [mir] _119 = _111 + _119 := builtin$havoc_int() + _119 := _111 + label l104 + // [mir] _117 = Gt(move _118, move _119) + _117 := builtin$havoc_ref() + inhale acc(_117.val_bool, write) + _117.val_bool := _118 > _119 + // [mir] StorageDead(_119) + // [mir] StorageDead(_118) + // [mir] switchInt(move _117) -> [0: bb66, otherwise: bb65] + __t108 := _117.val_bool + if (!__t108) { + goto loop7_group2a_bb8 + } + goto loop7_group2a_bb7 + + label loop7_inv_post_perm + // ========== l94 ========== + // MIR edge bb53 --> bb70 + goto end_of_method + + label loop7_inv_pre + // ========== l92 ========== + // MIR edge bb53 --> bb54 + // ========== loop7_group3_loop52_group2_bb54 ========== + __t47 := true + // [mir] StorageLive(_98) + // [mir] StorageLive(_99) + // [mir] _99 = const false + _99 := builtin$havoc_ref() + inhale acc(_99.val_bool, write) + _99.val_bool := false + // [mir] switchInt(move _99) -> [0: bb56, otherwise: bb55] + __t103 := _99.val_bool + // Ignore default target bb55, as it is only used by Prusti to type-check a loop invariant. + // ========== loop7_group3_loop52_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb52) + fold acc(i32(_92), write) + // obtain acc(i32(_92), write) + // obtain acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) + fold acc(usize(_86), write) + // obtain acc(usize(_86), write) + fold acc(bool(_87), write) + // obtain acc(bool(_87), write) + // obtain acc(struct$m_VecCandidates(_32), write) + assert 0 <= (unfolding acc(usize(_86), write) in _86.val_int) && + ((unfolding acc(usize(_86), write) in _86.val_int) < + f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_32)) && + f_valid__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$bool$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91))) + assert true + exhale acc(i32(_92), write) && + (acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) && + (acc(usize(_86), write) && + (acc(bool(_87), write) && acc(struct$m_VecCandidates(_32), write)))) + _103 := builtin$havoc_ref() + _108 := builtin$havoc_ref() + _111 := builtin$havoc_int() + _112 := builtin$havoc_ref() + _113 := builtin$havoc_ref() + _114 := builtin$havoc_ref() + _115 := builtin$havoc_int() + _117 := builtin$havoc_ref() + _118 := builtin$havoc_int() + _119 := builtin$havoc_int() + _120 := builtin$havoc_ref() + _121 := builtin$havoc_ref() + _122 := builtin$havoc_ref() + _123 := builtin$havoc_ref() + _124 := builtin$havoc_ref() + _125 := builtin$havoc_ref() + _126 := builtin$havoc_int() + _127 := builtin$havoc_int() + _128 := builtin$havoc_ref() + _86 := builtin$havoc_ref() + _91 := builtin$havoc_ref() + _92 := builtin$havoc_ref() + _97 := builtin$havoc_ref() + _99 := builtin$havoc_ref() + __t104 := builtin$havoc_bool() + __t105 := builtin$havoc_bool() + __t106 := builtin$havoc_bool() + __t107 := builtin$havoc_bool() + __t108 := builtin$havoc_bool() + __t109 := builtin$havoc_bool() + __t110 := builtin$havoc_bool() + __t111 := builtin$havoc_bool() + __t45 := builtin$havoc_bool() + __t46 := builtin$havoc_bool() + __t47 := builtin$havoc_bool() + __t48 := builtin$havoc_bool() + __t49 := builtin$havoc_bool() + __t50 := builtin$havoc_bool() + __t51 := builtin$havoc_bool() + __t52 := builtin$havoc_bool() + __t53 := builtin$havoc_bool() + __t54 := builtin$havoc_bool() + __t55 := builtin$havoc_bool() + __t56 := builtin$havoc_bool() + __t57 := builtin$havoc_bool() + __t58 := builtin$havoc_bool() + __t59 := builtin$havoc_bool() + // ========== loop7_group3_loop52_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb52 + inhale acc(i32(_92), write) && + (acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_91), write) && + (acc(usize(_86), write) && + (acc(bool(_87), write) && acc(struct$m_VecCandidates(_32), write)))) + inhale true + // ========== loop7_group3_loop52_group2a_bb52 ========== + // This is a loop head + __t45 := true + // [mir] falseUnwind -> [real: bb53, unwind: bb92] + // ========== loop7_group3_loop52_group2a_bb53 ========== + __t46 := true + // [mir] StorageLive(_97) + // [mir] _97 = _87 + _97 := builtin$havoc_ref() + inhale acc(_97.val_bool, write) + unfold acc(bool(_87), write) + _97.val_bool := _87.val_bool + label l93 + // [mir] switchInt(move _97) -> [0: bb70, otherwise: bb54] + __t104 := _97.val_bool + if (__t104) { + goto loop7_inv_post_fnspc + } + goto loop7_inv_post_perm + + label loop7_start + // ========== l57 ========== + // MIR edge bb37 --> bb38 + // ========== loop7_group3_loop19_group3_bb38 ========== + __t32 := true + // [mir] StorageLive(_70) + // [mir] StorageLive(_71) + // [mir] _71 = &mut _3 + _71 := builtin$havoc_ref() + inhale acc(_71.val_ref, write) + _71.val_ref := _3 + label l59 + // [mir] StorageLive(_72) + // [mir] StorageLive(_73) + // [mir] _73 = &mut _61 + _73 := builtin$havoc_ref() + inhale acc(_73.val_ref, write) + _73.val_ref := _61 + label l60 + // [mir] _72 = Point::clone(move _73) -> [return: bb39, unwind: bb92] + label l61 + assert true + exhale acc(_73.val_ref, write) && acc(struct$m_Point(_73.val_ref), write) + _72 := builtin$havoc_ref() + inhale acc(struct$m_Point(old[l61](_73.val_ref)), write) + inhale acc(struct$m_Point(_72), write) + inhale true + inhale (unfolding acc(struct$m_Point(old[l61](_73.val_ref)), write) in + (unfolding acc(i32(old[l61](_73.val_ref).f$y), write) in + (unfolding acc(i32(old[l61](_73.val_ref).f$x), write) in + (unfolding acc(struct$m_Point(_72), write) in + (unfolding acc(i32(_72.f$y), write) in + (unfolding acc(i32(_72.f$x), write) in + _72.f$x.val_int == + old[l61]((unfolding acc(struct$m_Point(_73.val_ref), write) in + (unfolding acc(i32(_73.val_ref.f$x), write) in + _73.val_ref.f$x.val_int))) && + (_72.f$y.val_int == + old[l61]((unfolding acc(struct$m_Point(_73.val_ref), write) in + (unfolding acc(i32(_73.val_ref.f$y), write) in + _73.val_ref.f$y.val_int))) && + (old[l61](_73.val_ref).f$x.val_int == + old[l61]((unfolding acc(struct$m_Point(_73.val_ref), write) in + (unfolding acc(i32(_73.val_ref.f$x), write) in + _73.val_ref.f$x.val_int))) && + old[l61](_73.val_ref).f$y.val_int == + old[l61]((unfolding acc(struct$m_Point(_73.val_ref), write) in + (unfolding acc(i32(_73.val_ref.f$y), write) in + _73.val_ref.f$y.val_int))))))))))) + label l62 + // ========== l63 ========== + // MIR edge bb38 --> bb39 + // Expire borrows + // expire_borrows ReborrowingDAG(L29,L16,) + + // ========== loop7_group3_loop19_group3_bb39 ========== + __t33 := true + // [mir] StorageDead(_73) + // [mir] _70 = Board::count_degree(move _71, move _72) -> [return: bb40, unwind: bb92] + label l64 + assert true + exhale acc(_71.val_ref, write) && + (acc(struct$m_Board(_71.val_ref), write) && + acc(struct$m_Point(_72), write)) + _70 := builtin$havoc_ref() + inhale acc(struct$m_Board(old[l64](_71.val_ref)), write) + inhale acc(i32(_70), write) + inhale true + label l65 + // ========== l66 ========== + // MIR edge bb39 --> bb40 + // Expire borrows + // expire_borrows ReborrowingDAG(L37,L15,) + + // ========== loop7_group3_loop19_group3_bb40 ========== + __t34 := true + // [mir] StorageDead(_72) + // [mir] StorageDead(_71) + // [mir] FakeRead(ForLet(None), _70) + // [mir] StorageLive(_74) + // [mir] StorageLive(_75) + // [mir] _75 = &mut _32 + _75 := builtin$havoc_ref() + inhale acc(_75.val_ref, write) + _75.val_ref := _32 + label l67 + // [mir] StorageLive(_76) + // [mir] StorageLive(_77) + // [mir] _77 = _70 + _77 := builtin$havoc_ref() + inhale acc(_77.val_int, write) + unfold acc(i32(_70), write) + _77.val_int := _70.val_int + label l68 + // [mir] StorageLive(_78) + // [mir] _78 = move _61 + _78 := _61 + label l69 + // [mir] _76 = (move _77, move _78) + _76 := builtin$havoc_ref() + inhale acc(tuple2$i32$struct$m_Point(_76), write) + unfold acc(tuple2$i32$struct$m_Point(_76), write) + _76.tuple_0 := _77 + label l70 + _76.tuple_1 := _78 + label l71 + // [mir] StorageDead(_78) + // [mir] StorageDead(_77) + // [mir] _74 = VecCandidates::push(move _75, move _76) -> [return: bb41, unwind: bb92] + label l72 + assert 0 <= + (unfolding acc(struct$m_Point(_76.tuple_1), write) in + (unfolding acc(i32(_76.tuple_1.f$x), write) in + _76.tuple_1.f$x.val_int)) && + (unfolding acc(struct$m_Point(_76.tuple_1), write) in + (unfolding acc(i32(_76.tuple_1.f$x), write) in + _76.tuple_1.f$x.val_int)) < + f_size__$TY$__$int$() && + (0 <= + (unfolding acc(struct$m_Point(_76.tuple_1), write) in + (unfolding acc(i32(_76.tuple_1.f$y), write) in + _76.tuple_1.f$y.val_int)) && + (unfolding acc(struct$m_Point(_76.tuple_1), write) in + (unfolding acc(i32(_76.tuple_1.f$y), write) in + _76.tuple_1.f$y.val_int)) < + f_size__$TY$__$int$()) + assert true + fold acc(i32(_76.tuple_0), write) + fold acc(tuple2$i32$struct$m_Point(_76), write) + exhale acc(_75.val_ref, write) && + (acc(struct$m_VecCandidates(_75.val_ref), write) && + acc(tuple2$i32$struct$m_Point(_76), write)) + _74 := builtin$havoc_ref() + inhale acc(struct$m_VecCandidates(old[l72](_75.val_ref)), write) + inhale acc(tuple0$(_74), write) + inhale true + inhale f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(old[l72](_75.val_ref))) == + old[l72](f_VecCandidates$$len__$TY$__Snap$struct$m_VecCandidates$$int$(snap$__$TY$__Snap$struct$m_VecCandidates$struct$m_VecCandidates$Snap$struct$m_VecCandidates(_75.val_ref))) + + 1 + label l73 + // ========== l74 ========== + // MIR edge bb40 --> bb41 + // Expire borrows + // expire_borrows ReborrowingDAG(L33,L17,) + + // ========== loop7_group3_loop19_group3_bb41 ========== + __t35 := true + // [mir] StorageDead(_76) + // [mir] StorageDead(_75) + // [mir] StorageDead(_74) + // [mir] _65 = const () + // [mir] StorageDead(_70) + // [mir] goto -> bb43 + // ========== l153 ========== + // drop Acc(_70.val_int, write) (Acc(_70.val_int, write)) + // drop Pred(_74, write) (Pred(_74, write)) + goto loop7_group1_bb8 + + label return + // ========== bb47 ========== + __t75 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--main-Both.vpr new file mode 100644 index 00000000..1df6587f --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--main-Both.vpr @@ -0,0 +1,663 @@ +domain MirrorDomain { + + function mirror_simple$f_size__$TY$__$int$(): Int +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0: Snap$struct$m_Board): Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board(self: Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_): Snap$struct$m_Board + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Board, _r_0: Snap$struct$m_Board :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Board :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Board :: + { Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Board { + + function cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_0: Snap$struct$m_VecVecWrapperI32): Snap$struct$m_Board + + function Snap$struct$m_Board$0$field$f$field__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32(self: Snap$struct$m_Board): Snap$struct$m_VecVecWrapperI32 + + axiom Snap$struct$m_Board$0$injectivity { + (forall _l_0: Snap$struct$m_VecVecWrapperI32, _r_0: Snap$struct$m_VecVecWrapperI32 :: + { cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_l_0), + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_r_0) } + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_l_0) == + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_Board$0$field$f$field$axiom { + (forall _0: Snap$struct$m_VecVecWrapperI32 :: + { Snap$struct$m_Board$0$field$f$field__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32(cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_0)) } + Snap$struct$m_Board$0$field$f$field__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32(cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board(_0)) == + _0) + } +} + +domain Snap$struct$m_VecVecWrapperI32 { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$field: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_int: Int + +function f_size__$TY$__$int$(): Int + requires true + requires true + ensures result == 8 + ensures [result == mirror_simple$f_size__$TY$__$int$(), true] + + +function m_std$$option$$Option$_beg_$struct$m_Board$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$struct$m_Board$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(self.enum_Some), read$()) in + snap$__$TY$__Snap$struct$m_Board$struct$m_Board$Snap$struct$m_Board(self.enum_Some.f$0)))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_Board$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Board$struct$m_Board$Snap$struct$m_Board(self: Ref): Snap$struct$m_Board + requires acc(struct$m_Board(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Board$Snap$struct$m_VecVecWrapperI32$Snap$struct$m_Board((unfolding acc(struct$m_Board(self), read$()) in + snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(self.f$field))) +} + +function snap$__$TY$__Snap$struct$m_VecVecWrapperI32$struct$m_VecVecWrapperI32$Snap$struct$m_VecVecWrapperI32(self: Ref): Snap$struct$m_VecVecWrapperI32 + requires acc(struct$m_VecVecWrapperI32(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_Board$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(struct$m_Board(self.f$0), write) +} + +predicate struct$m_Board(self: Ref) { + acc(self.f$field, write) && + acc(struct$m_VecVecWrapperI32(self.f$field), write) +} + +predicate struct$m_VecVecWrapperI32(self: Ref) + +predicate tuple0$(self: Ref) + +predicate tuple2$i32$i32(self: Ref) { + acc(self.tuple_0, write) && + (acc(i32(self.tuple_0), write) && + (acc(self.tuple_1, write) && acc(i32(self.tuple_1), write))) +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var _aux_havoc_i32: Ref + var __t12: Int + var _1: Int + var _2: Int + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Ref + var _11: Int + var _12: Ref + var _13: Ref + + label start + // ========== start ========== + // Def path: "Knights_tour::main" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:323:1: 333:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] _3 = (const 3_i32, const 1_i32) + _3 := builtin$havoc_ref() + inhale acc(tuple2$i32$i32(_3), write) + _aux_havoc_i32 := builtin$havoc_ref() + unfold acc(tuple2$i32$i32(_3), write) + _3.tuple_0 := _aux_havoc_i32 + inhale acc(_3.tuple_0.val_int, write) + _3.tuple_0.val_int := 3 + _aux_havoc_i32 := builtin$havoc_ref() + _3.tuple_1 := _aux_havoc_i32 + inhale acc(_3.tuple_1.val_int, write) + _3.tuple_1.val_int := 1 + // [mir] PlaceMention(_3) + // [mir] StorageLive(_1) + // [mir] _1 = (_3.0: i32) + _1 := builtin$havoc_int() + _1 := _3.tuple_0.val_int + label l0 + // [mir] StorageLive(_2) + // [mir] _2 = (_3.1: i32) + _2 := builtin$havoc_int() + _2 := _3.tuple_1.val_int + label l1 + // [mir] StorageDead(_3) + // [mir] StorageLive(_4) + // [mir] _4 = print_board_size() -> [return: bb1, unwind: bb15] + label l2 + _4 := builtin$havoc_ref() + inhale acc(tuple0$(_4), write) + inhale true + label l3 + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_4) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _1 + _6 := builtin$havoc_ref() + inhale acc(_6.val_int, write) + _6.val_int := _1 + label l4 + // [mir] StorageLive(_7) + // [mir] _7 = _2 + _7 := builtin$havoc_ref() + inhale acc(_7.val_int, write) + _7.val_int := _2 + label l5 + // [mir] _5 = print_starting_position(move _6, move _7) -> [return: bb2, unwind: bb15] + label l6 + assert true + fold acc(i32(_6), write) + fold acc(i32(_7), write) + exhale acc(i32(_6), write) && acc(i32(_7), write) + _5 := builtin$havoc_ref() + inhale acc(tuple0$(_5), write) + inhale true + label l7 + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_7) + // [mir] StorageDead(_6) + // [mir] StorageDead(_5) + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = _1 + _9 := builtin$havoc_ref() + inhale acc(_9.val_int, write) + _9.val_int := _1 + label l8 + // [mir] StorageLive(_10) + // [mir] _10 = _2 + _10 := builtin$havoc_ref() + inhale acc(_10.val_int, write) + _10.val_int := _2 + label l9 + // [mir] _8 = knights_tour(move _9, move _10) -> [return: bb3, unwind: bb15] + label l10 + assert 0 <= _9.val_int && + (_9.val_int < f_size__$TY$__$int$() && + (0 <= _10.val_int && _10.val_int < f_size__$TY$__$int$())) + assert true + fold acc(i32(_10), write) + fold acc(i32(_9), write) + exhale acc(i32(_9), write) && acc(i32(_10), write) + _8 := builtin$havoc_ref() + inhale acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_8), write) + inhale true + label l11 + // ========== bb3 ========== + __t3 := true + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] FakeRead(ForMatchedPlace(None), _8) + // [mir] _11 = discriminant(_8) + _11 := builtin$havoc_int() + _11 := m_std$$option$$Option$_beg_$struct$m_Board$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_Board$_end_$$int$(_8) + // [mir] switchInt(move _11) -> [0: bb4, 1: bb5, otherwise: bb6] + __t12 := _11 + // Ignore default target bb6, as the compiler marked it as unreachable. + if (__t12 == 0) { + goto bb1 + } + goto bb0 + + label bb0 + // ========== l12 ========== + // MIR edge bb3 --> bb5 + // ========== bb5 ========== + __t5 := true + // [mir] falseEdge -> [real: bb7, imaginary: bb4] + // ========== bb7 ========== + __t6 := true + // [mir] StorageLive(_12) + // [mir] _12 = move ((_8 as Some).0: Board) + unfold acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_(_8), write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_Board$_end_Some(_8.enum_Some), write) + _12 := _8.enum_Some.f$0 + label l14 + // [mir] StorageLive(_13) + // [mir] _13 = move _12 + _13 := _12 + label l15 + // [mir] _0 = print_board(move _13) -> [return: bb8, unwind: bb12] + label l16 + assert true + exhale acc(struct$m_Board(_13), write) + _0 := builtin$havoc_ref() + inhale acc(tuple0$(_0), write) + inhale true + label l17 + // ========== bb8 ========== + __t7 := true + // [mir] StorageDead(_13) + // [mir] drop(_12) -> [return: bb9, unwind: bb14] + // ========== bb9 ========== + __t8 := true + // [mir] StorageDead(_12) + // [mir] goto -> bb10 + // ========== l20 ========== + // drop Acc(_8[enum_Some], write) (Pred(_8[enum_Some].f$0, write)) + // drop Acc(_8[enum_Some].f$0, write) (Pred(_8[enum_Some].f$0, write)) + // drop Acc(_8.discriminant, write) (Pred(_8[enum_Some].f$0, write)) + goto bb2 + + label bb1 + // ========== l13 ========== + // MIR edge bb3 --> bb4 + // ========== bb4 ========== + __t9 := true + // [mir] _0 = print_fail() -> [return: bb10, unwind: bb14] + label l18 + _0 := builtin$havoc_ref() + inhale acc(tuple0$(_0), write) + inhale true + label l19 + // ========== l22 ========== + // drop Pred(_8, write) (Pred(_8[enum_Some].f$0, write)) + goto bb2 + + label bb2 + // ========== bb10 ========== + __t10 := true + // [mir] StorageDead(_2) + // [mir] StorageDead(_1) + // [mir] drop(_8) -> [return: bb11, unwind: bb15] + // ========== bb11 ========== + __t11 := true + // [mir] StorageDead(_8) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l21 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb6 ========== + __t4 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--valid-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--valid-Both.vpr new file mode 100644 index 00000000..da976dc3 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knight_tour.rs/tests_verify_pass_rosetta_Knights_tour_Knights_tour.rs_Knights_tour--valid-Both.vpr @@ -0,0 +1,868 @@ +domain MirrorDomain { + + function mirror_simple$f_size__$TY$__$int$(): Int +} + +domain Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(): Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0: Snap$tuple2$i32$struct$m_Point): Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ + + function Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(self: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_): Snap$tuple2$i32$struct$m_Point + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$injectivity { + (forall _l_0: Snap$tuple2$i32$struct$m_Point, _r_0: Snap$tuple2$i32$struct$m_Point :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$discriminant_axiom { + (forall _0: Snap$tuple2$i32$struct$m_Point :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0$axiom { + (forall _0: Snap$tuple2$i32$struct$m_Point :: + { Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$tuple2$i32$struct$m_Point { + + function cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0: Int, + _1: Snap$struct$m_Point): Snap$tuple2$i32$struct$m_Point + + function Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self: Snap$tuple2$i32$struct$m_Point): Int + + function Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(self: Snap$tuple2$i32$struct$m_Point): Snap$struct$m_Point + + axiom Snap$tuple2$i32$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Snap$struct$m_Point, _r_0: Int, _r_1: Snap$struct$m_Point :: + { cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$tuple2$i32$struct$m_Point$0$field$tuple_0$axiom { + (forall _0: Int, _1: Snap$struct$m_Point :: + { Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) } + Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$tuple2$i32$struct$m_Point$0$field$tuple_0$valid { + (forall self: Snap$tuple2$i32$struct$m_Point :: + { Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self) && + Snap$tuple2$i32$struct$m_Point$0$field$tuple_0__$TY$__Snap$tuple2$i32$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$tuple2$i32$struct$m_Point$0$field$tuple_1$axiom { + (forall _0: Int, _1: Snap$struct$m_Point :: + { Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) } + Snap$tuple2$i32$struct$m_Point$0$field$tuple_1__$TY$__Snap$tuple2$i32$struct$m_Point$Snap$struct$m_Point(cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_size__$TY$__$int$(): Int + requires true + requires true + ensures result == 8 + ensures [result == mirror_simple$f_size__$TY$__$int$(), true] + + +function m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_ + requires acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$tuple2$i32$struct$m_Point$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_((unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(self.enum_Some), read$()) in + snap$__$TY$__Snap$tuple2$i32$struct$m_Point$tuple2$i32$struct$m_Point$Snap$tuple2$i32$struct$m_Point(self.enum_Some.f$0)))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$Snap$m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$tuple2$i32$struct$m_Point$tuple2$i32$struct$m_Point$Snap$tuple2$i32$struct$m_Point(self: Ref): Snap$tuple2$i32$struct$m_Point + requires acc(tuple2$i32$struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$tuple2$i32$struct$m_Point$$int$$Snap$struct$m_Point$Snap$tuple2$i32$struct$m_Point((unfolding acc(tuple2$i32$struct$m_Point(self), read$()) in + (unfolding acc(i32(self.tuple_0), read$()) in self.tuple_0.val_int)), (unfolding acc(tuple2$i32$struct$m_Point(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.tuple_1))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(tuple2$i32$struct$m_Point(self.f$0), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate tuple2$i32$struct$m_Point(self: Ref) { + acc(self.tuple_0, write) && + (acc(i32(self.tuple_0), write) && + (acc(self.tuple_1, write) && acc(struct$m_Point(self.tuple_1), write))) +} + +method m_valid() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Int + var __t18: Bool + var __t19: Bool + var __t20: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Int + var _8: Ref + var _9: Int + var _10: Ref + var _11: Ref + var _12: Int + var _13: Ref + var _14: Int + var _15: Ref + + label start + // ========== start ========== + // Def path: "Knights_tour::valid" + // Span: tests/verify/pass/rosetta/Knights_tour.rs:160:1: 165:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] FakeRead(ForMatchedPlace(None), _1) + // [mir] _2 = discriminant((*_1)) + _2 := builtin$havoc_int() + _2 := m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_$$int$(_1.val_ref) + // [mir] switchInt(move _2) -> [0: bb1, 1: bb2, otherwise: bb3] + __t17 := _2 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t17 == 0) { + goto bb11 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb1] + // ========== bb4 ========== + __t3 := true + // [mir] StorageLive(_3) + // [mir] _3 = &((((*_1) as Some).0: (i32, Point)).1: Point) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + unfold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_1.val_ref), read$()) + unfold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(_1.val_ref.enum_Some), read$()) + unfold acc(tuple2$i32$struct$m_Point(_1.val_ref.enum_Some.f$0), read$()) + _3.val_ref := _1.val_ref.enum_Some.f$0.tuple_1 + inhale acc(struct$m_Point(_3.val_ref), read$()) + label l2 + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] StorageLive(_7) + // [mir] _7 = ((*_3).0: i32) + _7 := builtin$havoc_int() + unfold acc(struct$m_Point(_3.val_ref), read$()) + unfold acc(i32(_3.val_ref.f$x), read$()) + _7 := _3.val_ref.f$x.val_int + label l3 + // [mir] _6 = Le(const 0_i32, move _7) + _6 := builtin$havoc_ref() + inhale acc(_6.val_bool, write) + _6.val_bool := 0 <= _7 + // [mir] StorageDead(_7) + // [mir] switchInt(move _6) -> [0: bb11, otherwise: bb12] + __t18 := _6.val_bool + if (!__t18) { + goto l1 + } + goto l0 + + label bb11 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t15 := true + // [mir] _0 = const true + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := true + // [mir] goto -> bb16 + goto bb13 + + label bb12 + // ========== l14 ========== + // MIR edge bb10 --> bb5 + // Expire borrows + // expire_borrows ReborrowingDAG(L3,) + + if (__t3) { + // expire loan L3 + fold acc(i32(_3.val_ref.f$y), read$()) + fold acc(i32(_3.val_ref.f$x), read$()) + fold acc(struct$m_Point(_3.val_ref), read$()) + exhale acc(struct$m_Point(_3.val_ref), read$()) + } + // ========== bb5 ========== + __t13 := true + // [mir] _0 = const false + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := false + // [mir] goto -> bb7 + goto bb14 + + label bb13 + // ========== bb16 ========== + __t16 := true + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l19 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(bool(_0), write) + // obtain acc(bool(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(bool(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label bb14 + // ========== bb7 ========== + __t14 := true + // [mir] StorageDead(_13) + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] goto -> bb16 + // ========== l23 ========== + fold acc(tuple2$i32$struct$m_Point(_1.val_ref.enum_Some.f$0), read$()) + fold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_Some(_1.val_ref.enum_Some), read$()) + fold acc(m_std$$option$$Option$_beg_$tuple2$i32$struct$m_Point$_end_(_1.val_ref), read$()) + // drop Acc(_6.val_bool, write) (Acc(_6.val_bool, write)) + // drop Acc(_7.val_int, write) (Acc(_7.val_int, write)) + // drop Acc(_5.val_bool, write) (Acc(_5.val_bool, write)) + // drop Acc(_3.val_ref, write) (Acc(_3.val_ref, write)) + // drop Acc(_4.val_bool, write) (Acc(_4.val_bool, write)) + goto bb13 + + label bb2 + // ========== l9 ========== + // MIR edge bb13 --> bb9 + // ========== bb9 ========== + __t8 := true + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] _12 = ((*_3).1: i32) + _12 := builtin$havoc_int() + unfold acc(i32(_3.val_ref.f$y), read$()) + _12 := _3.val_ref.f$y.val_int + label l11 + // [mir] _11 = Le(const 0_i32, move _12) + _11 := builtin$havoc_ref() + inhale acc(_11.val_bool, write) + _11.val_bool := 0 <= _12 + // [mir] StorageDead(_12) + // [mir] _4 = move _11 + _4 := _11 + label l12 + // [mir] goto -> bb10 + // ========== l20 ========== + // drop Acc(_12.val_int, write) (Acc(_12.val_int, write)) + goto l4 + + label bb3 + // ========== bb13 ========== + __t7 := true + // [mir] StorageDead(_8) + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb8, otherwise: bb9] + __t19 := _5.val_bool + if (!__t19) { + goto bb4 + } + goto bb2 + + label bb4 + // ========== l10 ========== + // MIR edge bb13 --> bb8 + // ========== bb8 ========== + __t9 := true + // [mir] _4 = const false + _4 := builtin$havoc_ref() + inhale acc(_4.val_bool, write) + _4.val_bool := false + // [mir] goto -> bb10 + // ========== l21 ========== + unfold acc(i32(_3.val_ref.f$y), read$()) + goto l4 + + label l0 + // ========== l4 ========== + // MIR edge bb4 --> bb12 + // ========== bb12 ========== + __t4 := true + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = ((*_3).0: i32) + _9 := builtin$havoc_int() + _9 := _3.val_ref.f$x.val_int + label l6 + // [mir] StorageLive(_10) + // [mir] _10 = size() -> [return: bb14, unwind: bb17] + label l7 + _10 := builtin$havoc_ref() + inhale acc(i32(_10), write) + inhale (unfolding acc(i32(_10), write) in _10.val_int) == + f_size__$TY$__$int$() + // ========== bb14 ========== + __t5 := true + // [mir] _8 = Lt(move _9, move _10) + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + unfold acc(i32(_10), write) + _8.val_bool := _9 < _10.val_int + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] _5 = move _8 + _5 := _8 + label l8 + // [mir] goto -> bb13 + // ========== l18 ========== + // drop Acc(_9.val_int, write) (Acc(_9.val_int, write)) + // drop Acc(_10.val_int, write) (Acc(_10.val_int, write)) + goto bb3 + + label l1 + // ========== l5 ========== + // MIR edge bb4 --> bb11 + // ========== bb11 ========== + __t6 := true + // [mir] _5 = const false + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := false + // [mir] goto -> bb13 + goto bb3 + + label l4 + // ========== bb10 ========== + __t10 := true + // [mir] StorageDead(_11) + // [mir] StorageDead(_5) + // [mir] switchInt(move _4) -> [0: bb5, otherwise: bb6] + __t20 := _4.val_bool + if (!__t20) { + goto bb12 + } + goto l5 + + label l5 + // ========== l13 ========== + // MIR edge bb10 --> bb6 + // ========== bb6 ========== + __t11 := true + // [mir] StorageLive(_13) + // [mir] StorageLive(_14) + // [mir] _14 = ((*_3).1: i32) + _14 := builtin$havoc_int() + _14 := _3.val_ref.f$y.val_int + label l15 + // expire_borrows ReborrowingDAG(L3,) + + if (__t3) { + // expire loan L3 + fold acc(i32(_3.val_ref.f$y), read$()) + fold acc(i32(_3.val_ref.f$x), read$()) + fold acc(struct$m_Point(_3.val_ref), read$()) + exhale acc(struct$m_Point(_3.val_ref), read$()) + } + // [mir] StorageLive(_15) + // [mir] _15 = size() -> [return: bb15, unwind: bb17] + label l16 + _15 := builtin$havoc_ref() + inhale acc(i32(_15), write) + inhale (unfolding acc(i32(_15), write) in _15.val_int) == + f_size__$TY$__$int$() + // ========== bb15 ========== + __t12 := true + // [mir] _13 = Lt(move _14, move _15) + _13 := builtin$havoc_ref() + inhale acc(_13.val_bool, write) + unfold acc(i32(_15), write) + _13.val_bool := _14 < _15.val_int + // [mir] StorageDead(_15) + // [mir] StorageDead(_14) + // [mir] _0 = move _13 + _0 := _13 + label l17 + // [mir] goto -> bb7 + // ========== l22 ========== + // drop Acc(_14.val_int, write) (Acc(_14.val_int, write)) + // drop Acc(_15.val_int, write) (Acc(_15.val_int, write)) + goto bb14 + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--knuth_shuffle-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--knuth_shuffle-Both.vpr new file mode 100644 index 00000000..1570419f --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--knuth_shuffle-Both.vpr @@ -0,0 +1,1065 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + + function mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int +} + +domain Snap$struct$m_VecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32 + + function Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) } + Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1), + true] + + +function f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1, + _2), + true] + + +function snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(self: Ref): Snap$struct$m_VecWrapperI32 + requires acc(struct$m_VecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32((unfolding acc(struct$m_VecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate struct$m_ThreadRngWrapper(self: Ref) + +predicate struct$m_VecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) { + true +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_knuth_shuffle() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var _preserve$0: Ref + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Int + var _4: Ref + var _5: Ref + var _6: Int + var _8: Ref + var _9: Int + var _10: Int + var _12: Ref + var _17: Ref + var _21: Ref + var _25: Int + var _26: Ref + var _27: Int + var _28: Ref + var _29: Int + var _30: Int + var _31: Ref + var _32: Ref + var _33: Ref + var _34: Int + var _35: Ref + var _36: Ref + var _37: Int + var _38: Int + var _39: Ref + var _40: Ref + var _41: Ref + + label start + // ========== start ========== + // Def path: "Knuth_shuffle::knuth_shuffle" + // Span: tests/verify/pass/rosetta/Knuth_shuffle.rs:82:1: 96:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(struct$m_VecWrapperI32(_1.val_ref), write) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] _2 = thread_rng() -> [return: bb1, unwind: bb22] + label l0 + _2 := builtin$havoc_ref() + inhale acc(struct$m_ThreadRngWrapper(_2), write) + inhale true + label l1 + // ========== bb1 ========== + __t1 := true + // [mir] FakeRead(ForLet(None), _2) + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = &(*_1) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + _4.val_ref := _1.val_ref + exhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + inhale acc(struct$m_VecWrapperI32(_4.val_ref), read$()) + label l2 + // [mir] _3 = VecWrapperI32::len(move _4) -> [return: bb2, unwind: bb22] + label l3 + _3 := builtin$havoc_int() + inhale _3 >= 0 + inhale _3 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_4.val_ref)) + // transfer perm _4.val_ref --> old[l3](_4.val_ref) // unchecked: false + // ========== l4 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L11,L0,) + + if (__t1 && __t1) { + // expire loan L0 + // transfer perm old[l3](_4.val_ref) --> old[l2](_4.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l2](_4.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + } + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_4) + // [mir] FakeRead(ForLet(None), _3) + // [mir] StorageLive(_5) + // [mir] _5 = const 0_usize + _5 := builtin$havoc_ref() + inhale acc(_5.val_int, write) + _5.val_int := 0 + // [mir] FakeRead(ForLet(None), _5) + // [mir] StorageLive(_6) + // [mir] _6 = const 0_usize + _6 := builtin$havoc_int() + _6 := 0 + // [mir] FakeRead(ForLet(None), _6) + // [mir] goto -> bb3 + // ========== loop3_start ========== + // ========== loop3_group1_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb22] + // ========== loop3_group1_bb4 ========== + __t4 := true + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = _5 + _9 := builtin$havoc_int() + _9 := _5.val_int + label l5 + // [mir] StorageLive(_10) + // [mir] _10 = _3 + _10 := builtin$havoc_int() + inhale _3 >= 0 + _10 := _3 + label l6 + // [mir] _8 = Lt(move _9, move _10) + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := _9 < _10 + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] switchInt(move _8) -> [0: bb21, otherwise: bb5] + __t19 := _8.val_bool + if (__t19) { + goto bb0 + } + goto return + + label bb0 + // ========== l8 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group2_bb5 ========== + __t5 := true + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] _12 = const false + _12 := builtin$havoc_ref() + inhale acc(_12.val_bool, write) + _12.val_bool := false + // [mir] switchInt(move _12) -> [0: bb7, otherwise: bb6] + __t20 := _12.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb3) + _preserve$0 := _1.val_ref + fold acc(usize(_5), write) + // obtain acc(usize(_5), write) + // obtain acc(struct$m_ThreadRngWrapper(_2), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert _3 >= 0 + // obtain (_3) >= (0) + assert _6 >= 0 + // obtain (_6) >= (0) + assert 0 <= (unfolding acc(usize(_5), write) in _5.val_int) && + (unfolding acc(usize(_5), write) in _5.val_int) < _3 && + (_6 == 0 && + _3 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_5), write) && + (acc(struct$m_ThreadRngWrapper(_2), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && (_3 >= 0 && _6 >= 0)))) + _10 := builtin$havoc_int() + _12 := builtin$havoc_ref() + _17 := builtin$havoc_ref() + _21 := builtin$havoc_ref() + _25 := builtin$havoc_int() + _26 := builtin$havoc_ref() + _27 := builtin$havoc_int() + _28 := builtin$havoc_ref() + _29 := builtin$havoc_int() + _30 := builtin$havoc_int() + _31 := builtin$havoc_ref() + _32 := builtin$havoc_ref() + _33 := builtin$havoc_ref() + _34 := builtin$havoc_int() + _35 := builtin$havoc_ref() + _36 := builtin$havoc_ref() + _37 := builtin$havoc_int() + _38 := builtin$havoc_int() + _39 := builtin$havoc_ref() + _40 := builtin$havoc_ref() + _41 := builtin$havoc_ref() + _5 := builtin$havoc_ref() + _8 := builtin$havoc_ref() + _9 := builtin$havoc_int() + __t10 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + // ========== loop3_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb3 + inhale acc(usize(_5), write) && + (acc(struct$m_ThreadRngWrapper(_2), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && (_3 >= 0 && _6 >= 0)))) + inhale _preserve$0 == _1.val_ref + inhale true + // ========== loop3_group2a_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb22] + // ========== loop3_group2a_bb4 ========== + __t4 := true + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = _5 + _9 := builtin$havoc_int() + unfold acc(usize(_5), write) + _9 := _5.val_int + label l9 + // [mir] StorageLive(_10) + // [mir] _10 = _3 + _10 := builtin$havoc_int() + inhale _3 >= 0 + _10 := _3 + label l10 + // [mir] _8 = Lt(move _9, move _10) + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := _9 < _10 + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] switchInt(move _8) -> [0: bb21, otherwise: bb5] + __t21 := _8.val_bool + if (__t21) { + goto l4 + } + goto bb1 + + label bb1 + // ========== l11 ========== + // MIR edge bb4 --> bb21 + goto end_of_method + + label bb2 + // ========== l33 ========== + // MIR edge bb4 --> bb21 + // ========== l35 ========== + // drop Acc(_31.tuple_1.val_bool, write) (Acc(_31.tuple_1.val_bool, write)) + // drop Acc(_39.tuple_1.val_bool, write) (Acc(_39.tuple_1.val_bool, write)) + // drop Acc(_29.val_int, write) (Acc(_29.val_int, write)) + // drop Acc(_21.val_bool, write) (Acc(_21.val_bool, write)) + // drop Acc(_30.val_int, write) (Acc(_30.val_int, write)) + // drop Acc(_36.val_int, write) (Acc(_36.val_int, write)) + // drop Acc(_41.tuple_0, write) (Acc(_41.tuple_0, write)) + // drop Acc(_25.val_int, write) (Acc(_25.val_int, write)) + // drop Acc(_38.val_int, write) (Acc(_38.val_int, write)) + // drop Acc(_37.val_int, write) (Acc(_37.val_int, write)) + // drop Acc(_12.val_bool, write) (Acc(_12.val_bool, write)) + // drop Acc(_40.tuple_1.val_bool, write) (Acc(_40.tuple_1.val_bool, write)) + // drop Acc(_31.tuple_0, write) (Acc(_31.tuple_0, write)) + // drop Acc(_39.tuple_0, write) (Acc(_39.tuple_0, write)) + // drop Acc(_40.tuple_0, write) (Acc(_40.tuple_0, write)) + // drop Acc(_41.tuple_1.val_bool, write) (Acc(_41.tuple_1.val_bool, write)) + // drop Acc(_17.val_bool, write) (Acc(_17.val_bool, write)) + // drop Pred(_32, write) (Pred(_32, write)) + // drop Acc(_41.tuple_1, write) (Acc(_41.tuple_1, write)) + // drop Acc(_40.tuple_1, write) (Acc(_40.tuple_1, write)) + // drop Acc(_31.tuple_1, write) (Acc(_31.tuple_1, write)) + // drop Acc(_39.tuple_1, write) (Acc(_39.tuple_1, write)) + goto loop3_start + + label l4 + // ========== l12 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group2b_bb5 ========== + __t5 := true + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] _12 = const false + _12 := builtin$havoc_ref() + inhale acc(_12.val_bool, write) + _12.val_bool := false + // [mir] switchInt(move _12) -> [0: bb7, otherwise: bb6] + __t22 := _12.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb3 + inhale 0 <= _5.val_int && _5.val_int < _3 && + (_6 == 0 && + _3 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) + // ========== loop3_group3_bb7 ========== + __t6 := true + // [mir] _11 = const () + // [mir] goto -> bb8 + // ========== loop3_group3_bb8 ========== + __t7 := true + // [mir] StorageDead(_12) + // [mir] StorageDead(_11) + // [mir] StorageLive(_16) + // [mir] StorageLive(_17) + // [mir] _17 = const false + _17 := builtin$havoc_ref() + inhale acc(_17.val_bool, write) + _17.val_bool := false + // [mir] switchInt(move _17) -> [0: bb10, otherwise: bb9] + __t23 := _17.val_bool + // Ignore default target bb9, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_group3_bb10 ========== + __t8 := true + // [mir] _16 = const () + // [mir] goto -> bb11 + // ========== loop3_group3_bb11 ========== + __t9 := true + // [mir] StorageDead(_17) + // [mir] StorageDead(_16) + // [mir] StorageLive(_20) + // [mir] StorageLive(_21) + // [mir] _21 = const false + _21 := builtin$havoc_ref() + inhale acc(_21.val_bool, write) + _21.val_bool := false + // [mir] switchInt(move _21) -> [0: bb13, otherwise: bb12] + __t24 := _21.val_bool + // Ignore default target bb12, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_group3_bb13 ========== + __t10 := true + // [mir] _20 = const () + // [mir] goto -> bb14 + // ========== loop3_group3_bb14 ========== + __t11 := true + // [mir] StorageDead(_21) + // [mir] StorageDead(_20) + // [mir] StorageLive(_25) + // [mir] StorageLive(_26) + // [mir] _26 = &mut _2 + _26 := builtin$havoc_ref() + inhale acc(_26.val_ref, write) + _26.val_ref := _2 + label l13 + // [mir] StorageLive(_27) + // [mir] _27 = _6 + _27 := builtin$havoc_int() + inhale _6 >= 0 + _27 := _6 + label l14 + // [mir] StorageLive(_28) + // [mir] StorageLive(_29) + // [mir] _29 = _3 + _29 := builtin$havoc_int() + _29 := _3 + label l15 + // [mir] StorageLive(_30) + // [mir] _30 = _5 + _30 := builtin$havoc_int() + _30 := _5.val_int + label l16 + // [mir] _31 = CheckedSub(_29, _30) + _31 := builtin$havoc_ref() + inhale acc(_31.tuple_0, write) + inhale acc(_31.tuple_0.val_int, write) + inhale acc(_31.tuple_1, write) + inhale acc(_31.tuple_1.val_bool, write) + _31.tuple_0.val_int := _29 - _30 + _31.tuple_1.val_bool := false + // [mir] assert(!move (_31.1: bool), "attempt to compute `{} - {}`, which would overflow", move _29, move _30) -> [success: bb15, unwind: bb22] + __t25 := _31.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t25 + // ========== loop3_group3_bb15 ========== + __t12 := true + // [mir] _28 = move (_31.0: usize) + _28 := _31.tuple_0 + label l17 + // [mir] StorageDead(_30) + // [mir] StorageDead(_29) + // [mir] _25 = ThreadRngWrapper::gen_range(move _26, move _27, move _28) -> [return: bb16, unwind: bb22] + label l18 + assert _27 < _28.val_int + assert true + assert _27 >= 0 + fold acc(usize(_28), write) + exhale acc(_26.val_ref, write) && + (acc(struct$m_ThreadRngWrapper(_26.val_ref), write) && + (_27 >= 0 && acc(usize(_28), write))) + _25 := builtin$havoc_int() + inhale acc(struct$m_ThreadRngWrapper(old[l18](_26.val_ref)), write) + inhale _25 >= 0 + inhale true + inhale old[l18](_27) <= _25 && _25 < old[l18](_28.val_int) + label l19 + // ========== l20 ========== + // MIR edge bb15 --> bb16 + // Expire borrows + // expire_borrows ReborrowingDAG(L12,L6,) + + // ========== loop3_group3_bb16 ========== + __t13 := true + // [mir] StorageDead(_28) + // [mir] StorageDead(_27) + // [mir] StorageDead(_26) + // [mir] FakeRead(ForLet(None), _25) + // [mir] StorageLive(_32) + // [mir] StorageLive(_33) + // [mir] _33 = &mut (*_1) + _33 := builtin$havoc_ref() + inhale acc(_33.val_ref, write) + _33.val_ref := _1.val_ref + label l21 + // [mir] StorageLive(_34) + // [mir] _34 = _25 + _34 := builtin$havoc_int() + inhale _25 >= 0 + _34 := _25 + label l22 + // [mir] StorageLive(_35) + // [mir] StorageLive(_36) + // [mir] StorageLive(_37) + // [mir] _37 = _3 + _37 := builtin$havoc_int() + _37 := _3 + label l23 + // [mir] StorageLive(_38) + // [mir] _38 = _5 + _38 := builtin$havoc_int() + _38 := _5.val_int + label l24 + // [mir] _39 = CheckedSub(_37, _38) + _39 := builtin$havoc_ref() + inhale acc(_39.tuple_0, write) + inhale acc(_39.tuple_0.val_int, write) + inhale acc(_39.tuple_1, write) + inhale acc(_39.tuple_1.val_bool, write) + _39.tuple_0.val_int := _37 - _38 + _39.tuple_1.val_bool := false + // [mir] assert(!move (_39.1: bool), "attempt to compute `{} - {}`, which would overflow", move _37, move _38) -> [success: bb17, unwind: bb22] + __t26 := _39.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t26 + // ========== loop3_group3_bb17 ========== + __t14 := true + // [mir] _36 = move (_39.0: usize) + _36 := _39.tuple_0 + label l25 + // [mir] StorageDead(_38) + // [mir] StorageDead(_37) + // [mir] _40 = CheckedSub(_36, const 1_usize) + _40 := builtin$havoc_ref() + inhale acc(_40.tuple_0, write) + inhale acc(_40.tuple_0.val_int, write) + inhale acc(_40.tuple_1, write) + inhale acc(_40.tuple_1.val_bool, write) + _40.tuple_0.val_int := _36.val_int - 1 + _40.tuple_1.val_bool := false + // [mir] assert(!move (_40.1: bool), "attempt to compute `{} - {}`, which would overflow", move _36, const 1_usize) -> [success: bb18, unwind: bb22] + __t27 := _40.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t27 + // ========== loop3_group3_bb18 ========== + __t15 := true + // [mir] _35 = move (_40.0: usize) + _35 := _40.tuple_0 + label l26 + // [mir] StorageDead(_36) + // [mir] _32 = VecWrapperI32::swap(move _33, move _34, move _35) -> [return: bb19, unwind: bb22] + label l27 + assert 0 <= _34 && + _34 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_33.val_ref)) && + (0 <= _35.val_int && + _35.val_int < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_33.val_ref))) + assert true + assert _34 >= 0 + fold acc(usize(_35), write) + exhale acc(_33.val_ref, write) && + (acc(struct$m_VecWrapperI32(_33.val_ref), write) && + (_34 >= 0 && acc(usize(_35), write))) + _32 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l27](_33.val_ref)), write) + inhale acc(tuple0$(_32), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_33.val_ref))) == + old[l27](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_33.val_ref))) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_33.val_ref)), + old[l27](_34)) == + old[l27](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_33.val_ref), + _35.val_int)) && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_33.val_ref)), + old[l27](_35.val_int)) == + old[l27](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_33.val_ref), + _34)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_33.val_ref)))) || + (_0_quant_0 == old[l27](_34) || + (!(_0_quant_0 == old[l27](_35.val_int)) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l27](_33.val_ref)), + _0_quant_0) == + old[l27](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_33.val_ref), + _0_quant_0)))))))) + label l28 + // ========== l29 ========== + // MIR edge bb18 --> bb19 + // Expire borrows + // expire_borrows ReborrowingDAG(L13,L7,) + + // ========== loop3_group3_bb19 ========== + __t16 := true + // [mir] StorageDead(_35) + // [mir] StorageDead(_34) + // [mir] StorageDead(_33) + // [mir] StorageDead(_32) + // [mir] _41 = CheckedAdd(_5, const 1_usize) + _41 := builtin$havoc_ref() + inhale acc(_41.tuple_0, write) + inhale acc(_41.tuple_0.val_int, write) + inhale acc(_41.tuple_1, write) + inhale acc(_41.tuple_1.val_bool, write) + _41.tuple_0.val_int := _5.val_int + 1 + _41.tuple_1.val_bool := false + // [mir] assert(!move (_41.1: bool), "attempt to compute `{} + {}`, which would overflow", _5, const 1_usize) -> [success: bb20, unwind: bb22] + __t28 := _41.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t28 + // ========== loop3_group3_bb20 ========== + __t17 := true + // [mir] _5 = move (_41.0: usize) + _5 := _41.tuple_0 + label l30 + // [mir] _7 = const () + // [mir] StorageDead(_25) + // [mir] StorageDead(_8) + // [mir] goto -> bb3 + // ========== loop3_group4_bb3 ========== + // This is a loop head + __t3 := true + // [mir] falseUnwind -> [real: bb4, unwind: bb22] + // ========== loop3_group4_bb4 ========== + __t4 := true + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = _5 + _9 := builtin$havoc_int() + _9 := _5.val_int + label l31 + // [mir] StorageLive(_10) + // [mir] _10 = _3 + _10 := builtin$havoc_int() + _10 := _3 + label l32 + // [mir] _8 = Lt(move _9, move _10) + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := _9 < _10 + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] switchInt(move _8) -> [0: bb21, otherwise: bb5] + __t29 := _8.val_bool + if (__t29) { + goto loop3_group1_bb3 + } + goto bb2 + + label loop3_group1_bb3 + // ========== l34 ========== + // MIR edge bb4 --> bb5 + // ========== loop3_group5_bb5 ========== + __t5 := true + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] _12 = const false + _12 := builtin$havoc_ref() + inhale acc(_12.val_bool, write) + _12.val_bool := false + // [mir] switchInt(move _12) -> [0: bb7, otherwise: bb6] + __t30 := _12.val_bool + // Ignore default target bb6, as it is only used by Prusti to type-check a loop invariant. + // ========== loop3_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb3) + fold acc(usize(_5), write) + // obtain acc(usize(_5), write) + // obtain acc(struct$m_ThreadRngWrapper(_2), write) + // obtain acc(_1.val_ref, read) + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + assert _3 >= 0 + // obtain (_3) >= (0) + assert _6 >= 0 + // obtain (_6) >= (0) + assert 0 <= (unfolding acc(usize(_5), write) in _5.val_int) && + (unfolding acc(usize(_5), write) in _5.val_int) < _3 && + (_6 == 0 && + _3 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_5), write) && + (acc(struct$m_ThreadRngWrapper(_2), write) && + (acc(_1.val_ref, read$()) && + (acc(struct$m_VecWrapperI32(_1.val_ref), write) && (_3 >= 0 && _6 >= 0)))) + inhale false + goto end_of_method + + label loop3_start + // ========== bb21 ========== + __t18 := true + // [mir] StorageLive(_43) + // [mir] _0 = const () + // [mir] StorageDead(_43) + // [mir] StorageDead(_8) + // [mir] StorageDead(_6) + // [mir] StorageDead(_5) + // [mir] StorageDead(_3) + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l36 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(struct$m_VecWrapperI32(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_VecWrapperI32(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== l7 ========== + // MIR edge bb4 --> bb21 + goto loop3_start + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--main-Both.vpr new file mode 100644 index 00000000..6b9187e3 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--main-Both.vpr @@ -0,0 +1,292 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + + label start + // ========== start ========== + // Def path: "Knuth_shuffle::main" + // Span: tests/verify/pass/rosetta/Knuth_shuffle.rs:121:1: 121:12 (#0) + __t0 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l1 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--test-Both.vpr b/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--test-Both.vpr new file mode 100644 index 00000000..cef61cbc --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/rosetta/knuth_shuffle.rs/tests_verify_pass_rosetta_Knuth_shuffle_Knuth_shuffle.rs_Knuth_shuffle--test-Both.vpr @@ -0,0 +1,745 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int +} + +domain Snap$struct$m_VecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32 + + function Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) } + Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + requires true + requires true + ensures result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1), + true] + + +function snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(self: Ref): Snap$struct$m_VecWrapperI32 + requires acc(struct$m_VecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32((unfolding acc(struct$m_VecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_VecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) { + true +} + +method m_test() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var _1: Ref + var _2: Ref + var _5: Ref + var _6: Int + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Ref + var _14: Ref + var _15: Ref + var _16: Ref + var _17: Ref + var _18: Ref + var _19: Ref + var _20: Ref + var _21: Ref + var _22: Ref + + label start + // ========== start ========== + // Def path: "Knuth_shuffle::test" + // Span: tests/verify/pass/rosetta/Knuth_shuffle.rs:108:1: 119:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_1) + // [mir] _1 = VecWrapperI32::new() -> [return: bb1, unwind: bb13] + label l0 + _1 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(_1), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1)) == + 0 + label l1 + // ========== bb1 ========== + __t1 := true + // [mir] FakeRead(ForLet(None), _1) + // [mir] StorageLive(_2) + // [mir] _2 = const 0_i32 + _2 := builtin$havoc_ref() + inhale acc(_2.val_int, write) + _2.val_int := 0 + // [mir] FakeRead(ForLet(None), _2) + // [mir] StorageLive(_3) + // [mir] goto -> bb2 + // ========== loop2_start ========== + // ========== loop2_group1_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb12] + // ========== loop2_group1_bb3 ========== + __t3 := true + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_int() + _6 := _2.val_int + label l2 + // [mir] _5 = Lt(move _6, const 10_i32) + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := _6 < 10 + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb7, otherwise: bb4] + __t12 := _5.val_bool + if (__t12) { + goto bb0 + } + goto return + + label bb0 + // ========== l4 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb2) + fold acc(i32(_2), write) + // obtain acc(i32(_2), write) + // obtain acc(struct$m_VecWrapperI32(_1), write) + assert true + exhale acc(i32(_2), write) && acc(struct$m_VecWrapperI32(_1), write) + _10 := builtin$havoc_ref() + _2 := builtin$havoc_ref() + _5 := builtin$havoc_ref() + _6 := builtin$havoc_int() + _7 := builtin$havoc_ref() + _8 := builtin$havoc_ref() + _9 := builtin$havoc_ref() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t2 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + // ========== loop2_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb2 + inhale acc(i32(_2), write) && acc(struct$m_VecWrapperI32(_1), write) + inhale true + // ========== loop2_group2a_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb12] + // ========== loop2_group2a_bb3 ========== + __t3 := true + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_int() + unfold acc(i32(_2), write) + _6 := _2.val_int + label l5 + // [mir] _5 = Lt(move _6, const 10_i32) + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := _6 < 10 + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb7, otherwise: bb4] + __t13 := _5.val_bool + if (__t13) { + goto loop2_start + } + goto bb1 + + label bb1 + // ========== l6 ========== + // MIR edge bb3 --> bb7 + goto end_of_method + + label l3 + // ========== l16 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb2) + fold acc(i32(_2), write) + // obtain acc(i32(_2), write) + // obtain acc(struct$m_VecWrapperI32(_1), write) + assert true + exhale acc(i32(_2), write) && acc(struct$m_VecWrapperI32(_1), write) + inhale false + goto end_of_method + + label loop2_group1_bb2 + // ========== l15 ========== + // MIR edge bb3 --> bb7 + // ========== l32 ========== + // drop Acc(_10.tuple_0, write) (Acc(_10.tuple_0, write)) + // drop Acc(_10.tuple_1.val_bool, write) (Acc(_10.tuple_1.val_bool, write)) + // drop Pred(_7, write) (Pred(_7, write)) + // drop Acc(_10.tuple_1, write) (Acc(_10.tuple_1, write)) + goto loop2_group1_bb3 + + label loop2_group1_bb3 + // ========== bb7 ========== + __t7 := true + // [mir] StorageLive(_12) + // [mir] _3 = const () + // [mir] StorageDead(_12) + // [mir] StorageDead(_5) + // [mir] StorageDead(_3) + // [mir] StorageLive(_14) + // [mir] StorageLive(_15) + // [mir] StorageLive(_16) + // [mir] _16 = &mut _1 + _16 := builtin$havoc_ref() + inhale acc(_16.val_ref, write) + _16.val_ref := _1 + label l17 + // [mir] _15 = &mut (*_16) + _15 := builtin$havoc_ref() + inhale acc(_15.val_ref, write) + _15.val_ref := _16.val_ref + label l18 + // [mir] _14 = print_vector_before(move _15) -> [return: bb8, unwind: bb12] + label l19 + assert true + exhale acc(_15.val_ref, write) && + acc(struct$m_VecWrapperI32(_15.val_ref), write) + _14 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l19](_15.val_ref)), write) + inhale acc(tuple0$(_14), write) + inhale true + label l20 + // ========== l21 ========== + // MIR edge bb7 --> bb8 + // Expire borrows + // expire_borrows ReborrowingDAG(L10,L2,L1,) + + // ========== bb8 ========== + __t8 := true + // [mir] StorageDead(_15) + // [mir] StorageDead(_16) + // [mir] StorageDead(_14) + // [mir] StorageLive(_17) + // [mir] StorageLive(_18) + // [mir] StorageLive(_19) + // [mir] _19 = &mut _1 + _19 := builtin$havoc_ref() + inhale acc(_19.val_ref, write) + _19.val_ref := _1 + label l22 + // [mir] _18 = &mut (*_19) + _18 := builtin$havoc_ref() + inhale acc(_18.val_ref, write) + _18.val_ref := _19.val_ref + label l23 + // [mir] _17 = knuth_shuffle(move _18) -> [return: bb9, unwind: bb12] + label l24 + assert true + exhale acc(_18.val_ref, write) && + acc(struct$m_VecWrapperI32(_18.val_ref), write) + _17 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l24](_18.val_ref)), write) + inhale acc(tuple0$(_17), write) + inhale true + label l25 + // ========== l26 ========== + // MIR edge bb8 --> bb9 + // Expire borrows + // expire_borrows ReborrowingDAG(L9,L4,L3,) + + // ========== bb9 ========== + __t9 := true + // [mir] StorageDead(_18) + // [mir] StorageDead(_19) + // [mir] StorageDead(_17) + // [mir] StorageLive(_20) + // [mir] StorageLive(_21) + // [mir] StorageLive(_22) + // [mir] _22 = &mut _1 + _22 := builtin$havoc_ref() + inhale acc(_22.val_ref, write) + _22.val_ref := _1 + label l27 + // [mir] _21 = &mut (*_22) + _21 := builtin$havoc_ref() + inhale acc(_21.val_ref, write) + _21.val_ref := _22.val_ref + label l28 + // [mir] _20 = print_vector_after(move _21) -> [return: bb10, unwind: bb12] + label l29 + assert true + exhale acc(_21.val_ref, write) && + acc(struct$m_VecWrapperI32(_21.val_ref), write) + _20 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l29](_21.val_ref)), write) + inhale acc(tuple0$(_20), write) + inhale true + label l30 + // ========== l31 ========== + // MIR edge bb9 --> bb10 + // Expire borrows + // expire_borrows ReborrowingDAG(L11,L6,L5,) + + // ========== bb10 ========== + __t10 := true + // [mir] StorageDead(_21) + // [mir] StorageDead(_22) + // [mir] StorageDead(_20) + // [mir] _0 = const () + // [mir] StorageDead(_2) + // [mir] drop(_1) -> [return: bb11, unwind: bb13] + // ========== bb11 ========== + __t11 := true + // [mir] StorageDead(_1) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l33 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label loop2_start + // ========== l7 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb2 + // ========== loop2_group3_bb4 ========== + __t4 := true + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] _8 = &mut _1 + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + _8.val_ref := _1 + label l8 + // [mir] StorageLive(_9) + // [mir] _9 = _2 + _9 := builtin$havoc_ref() + inhale acc(_9.val_int, write) + _9.val_int := _2.val_int + label l9 + // [mir] _7 = VecWrapperI32::push(move _8, move _9) -> [return: bb5, unwind: bb12] + label l10 + assert true + fold acc(i32(_9), write) + exhale acc(_8.val_ref, write) && + (acc(struct$m_VecWrapperI32(_8.val_ref), write) && acc(i32(_9), write)) + _7 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l10](_8.val_ref)), write) + inhale acc(tuple0$(_7), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l10](_8.val_ref))) == + old[l10](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_8.val_ref))) + + 1 + label l11 + // ========== l12 ========== + // MIR edge bb4 --> bb5 + // Expire borrows + // expire_borrows ReborrowingDAG(L12,L0,) + + // ========== loop2_group3_bb5 ========== + __t5 := true + // [mir] StorageDead(_9) + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] _10 = CheckedAdd(_2, const 1_i32) + _10 := builtin$havoc_ref() + inhale acc(_10.tuple_0, write) + inhale acc(_10.tuple_0.val_int, write) + inhale acc(_10.tuple_1, write) + inhale acc(_10.tuple_1.val_bool, write) + _10.tuple_0.val_int := _2.val_int + 1 + _10.tuple_1.val_bool := false + // [mir] assert(!move (_10.1: bool), "attempt to compute `{} + {}`, which would overflow", _2, const 1_i32) -> [success: bb6, unwind: bb12] + __t14 := _10.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t14 + // ========== loop2_group3_bb6 ========== + __t6 := true + // [mir] _2 = move (_10.0: i32) + _2 := _10.tuple_0 + label l13 + // [mir] _4 = const () + // [mir] StorageDead(_5) + // [mir] goto -> bb2 + // ========== loop2_group4_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb12] + // ========== loop2_group4_bb3 ========== + __t3 := true + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_int() + _6 := _2.val_int + label l14 + // [mir] _5 = Lt(move _6, const 10_i32) + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := _6 < 10 + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb7, otherwise: bb4] + __t15 := _5.val_bool + if (__t15) { + goto l3 + } + goto loop2_group1_bb2 + + label return + // ========== l3 ========== + // MIR edge bb3 --> bb7 + goto loop2_group1_bb3 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--borrow_nth-Both.vpr b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--borrow_nth-Both.vpr new file mode 100644 index 00000000..c145ba98 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--borrow_nth-Both.vpr @@ -0,0 +1,1001 @@ +domain MirrorDomain { + + function mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + + function mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Route, _r_0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Route :: + { Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + requires true + requires 0 <= _2 && _2 < f_length__$TY$__Snap$struct$m_Route$$int$(_1) + ensures true + ensures [result == + mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1, _2), + true] +{ + (_2 != 0 ? + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)), + _2 - 1)) : + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(_1))) +} + +function f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int + requires true + requires true + ensures result > 0 + ensures [result == + mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + 1 : + 1 + + f_length__$TY$__Snap$struct$m_Route$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)))) +} + +function m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.enum_Some.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self.enum_Some.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Route(self.val_ref), write) +} + +method m_borrow_nth() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Int + var __t12: Bool + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Int + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Int + var _11: Ref + var _12: Ref + var _13: Ref + var _14: Ref + var _15: Int + var _16: Ref + + label start + // ========== start ========== + // Def path: "routes::borrow_nth" + // Span: tests/verify/pass/paper-examples/routes.rs:55:1: 64:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Route(_1.val_ref), write) && acc(i32(_2), write)) + inhale true + inhale 0 <= (unfolding acc(i32(_2), write) in _2.val_int) && + (unfolding acc(i32(_2), write) in _2.val_int) < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_int() + unfold acc(i32(_2), write) + _6 := _2.val_int + label l0 + // [mir] _5 = Eq(move _6, const 0_i32) + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := _6 == 0 + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb2, otherwise: bb1] + __t10 := _5.val_bool + if (__t10) { + goto bb1 + } + goto bb0 + + label bb0 + // ========== l1 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] StorageLive(_9) + // [mir] FakeRead(ForMatchedPlace(None), ((*_1).1: std::option::Option>)) + // [mir] _10 = discriminant(((*_1).1: std::option::Option>)) + _10 := builtin$havoc_int() + unfold acc(struct$m_Route(_1.val_ref), write) + _10 := m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(_1.val_ref.f$rest) + // [mir] switchInt(move _10) -> [0: bb3, 1: bb4, otherwise: bb5] + __t11 := _10 + // Ignore default target bb5, as the compiler marked it as unreachable. + if (__t11 == 0) { + goto l2 + } + goto l1 + + label bb1 + // ========== l2 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t1 := true + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] _8 = &mut ((*_1).0: Point) + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + unfold acc(struct$m_Route(_1.val_ref), write) + _8.val_ref := _1.val_ref.f$current + label l3 + // [mir] _7 = &mut (*_8) + _7 := builtin$havoc_ref() + inhale acc(_7.val_ref, write) + _7.val_ref := _8.val_ref + label l4 + // [mir] _4 = &mut (*_7) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + _4.val_ref := _7.val_ref + label l5 + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] goto -> bb9 + // ========== l20 ========== + // drop Pred(_1.val_ref.f$rest, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + // drop Acc(_7.val_ref, write) (Acc(_7.val_ref, write)) + goto bb2 + + label bb2 + // ========== bb9 ========== + __t8 := true + // [mir] _3 = &mut (*_4) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + _3.val_ref := _4.val_ref + label l16 + // [mir] StorageDead(_5) + // [mir] _0 = &mut (*_3) + _0 := builtin$havoc_ref() + inhale acc(_0.val_ref, write) + _0.val_ref := _3.val_ref + label l17 + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] return + // obtain ((acc(struct$m_Point(_0.val_ref), write)) && (true)) && ((true) && (true)) + label l18 + package acc(DeadBorrowToken$(-1), write) && + acc(struct$m_Point(old[l18](_0.val_ref)), write) --* + acc(struct$m_Route(old[pre](_1.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref))) == + old[pre](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) == + old[lhs]((unfolding acc(struct$m_Point(old[l18](_0.val_ref)), write) in + (unfolding acc(i32(old[l18](_0.val_ref).f$x), write) in + old[l18](_0.val_ref).f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)))) || + (!(_0_quant_0 == + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + _0_quant_0) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + _0_quant_0))))))) { + var _old$l13$0$p0: Ref + // expire_borrows ReborrowingDAG(L4,L3,L8,L7,L2,L1,L12,L13,L6,L5,L0,) + + if (__t8) { + // expire loan L4 + // transfer perm _0.val_ref --> old[l17](_3.val_ref) // unchecked: false + } + if (__t8 && __t8) { + // expire loan L3 + // transfer perm old[l17](_3.val_ref) --> old[l16](_3.val_ref) // unchecked: false + // transfer perm old[l16](_3.val_ref) --> old[l16](_4.val_ref) // unchecked: false + } + if (__t8 && __t8 && __t7) { + // restored (from log): Acc(_1.val_ref.f$rest[enum_Some], write) + // restored (from log): Acc(_1.val_ref.f$rest[enum_Some].f$0, write) + // restored (from log): Acc(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write) + // restored (from log): Acc(_1.val_ref.f$rest.discriminant, write) + // restored (from log): Acc(_9.val_ref, write) + // restored (from log): Acc(_11.val_ref, write) + // restored (from log): Acc(_12.val_ref, write) + // restored (from log): Pred(_1.val_ref.f$current, write) + } + if (__t8 && __t8 && __t1) { + // restored (from log): Pred(_1.val_ref.f$rest, write) + // restored (from log): Acc(_8.val_ref, write) + // restored (from log): Acc(_7.val_ref, write) + } + if (__t7 && (__t8 && __t8)) { + // expire loan L8 + // transfer perm old[l16](_4.val_ref) --> old[l15](_4.val_ref) // unchecked: false + // transfer perm old[l15](_4.val_ref) --> old[l15](_9.val_ref) // unchecked: false + } + if (__t7 && (__t7 && (__t8 && __t8))) { + // expire loan L7 + // transfer perm old[l15](_9.val_ref) --> old[l14](_9.val_ref) // unchecked: false + // transfer perm old[l14](_9.val_ref) --> old[l14](_12.val_ref) // unchecked: false + } + if (__t1 && (__t8 && __t8)) { + // expire loan L2 + // transfer perm old[l16](_4.val_ref) --> old[l5](_4.val_ref) // unchecked: false + // transfer perm old[l5](_4.val_ref) --> old[l5](_7.val_ref) // unchecked: false + } + if (__t1 && (__t1 && (__t8 && __t8))) { + // expire loan L1 + // transfer perm old[l5](_7.val_ref) --> old[l4](_7.val_ref) // unchecked: false + // transfer perm old[l4](_7.val_ref) --> old[l4](_8.val_ref) // unchecked: false + } + if (__t6 && (__t7 && (__t7 && (__t8 && __t8)))) { + // expire loan L12 + _old$l13$0$p0 := old[l14](_12.val_ref) + inhale acc(DeadBorrowToken$(12), write) && + acc(struct$m_Point(_old$l13$0$p0), write) --* + acc(struct$m_Route(old[l12](_13.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref))) == + old[l12](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + old[l12](_14.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l13$0$p0), write) in + (unfolding acc(i32(_old$l13$0$p0.f$x), write) in + _old$l13$0$p0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)))) || + (!(_0_quant_0 == old[l12](_14.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + _0_quant_0) == + old[l12](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref), + _0_quant_0))))))) + inhale acc(DeadBorrowToken$(12), write) + apply acc(DeadBorrowToken$(12), write) && + acc(struct$m_Point(_old$l13$0$p0), write) --* + acc(struct$m_Route(old[l12](_13.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref))) == + old[l12](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + old[l12](_14.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l13$0$p0), write) in + (unfolding acc(i32(_old$l13$0$p0.f$x), write) in + _old$l13$0$p0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)))) || + (!(_0_quant_0 == old[l12](_14.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l12](_13.val_ref)), + _0_quant_0) == + old[l12](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref), + _0_quant_0))))))) + } + if (__t6 && (__t6 && (__t7 && (__t7 && (__t8 && __t8))))) { + // expire loan L13 + } + if (__t5 && (__t6 && (__t6 && (__t7 && (__t7 && (__t8 && __t8)))))) { + // expire loan L6 + // transfer perm old[l12](_13.val_ref) --> old[l9](_13.val_ref) // unchecked: false + // transfer perm old[l9](_13.val_ref) --> old[l9](_11.val_ref) // unchecked: false + } + if (__t5 && + (__t5 && (__t6 && (__t6 && (__t7 && (__t7 && (__t8 && __t8))))))) { + // expire loan L5 + // transfer perm old[l9](_11.val_ref) --> old[l8](_11.val_ref) // unchecked: false + // transfer perm old[l8](_11.val_ref) --> _1.val_ref.f$rest[enum_Some].f$0.val_ref // unchecked: false + assert acc(old[l18](_1.val_ref).f$rest, read$()) + assert acc(old[l18](_1.val_ref).f$rest.enum_Some, read$()) + assert acc(old[l18](_1.val_ref).f$rest.enum_Some.f$0, read$()) + fold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(old[l18](_1.val_ref).f$rest.enum_Some.f$0), write) + assert acc(old[l18](_1.val_ref).f$rest, read$()) + assert acc(old[l18](_1.val_ref).f$rest.enum_Some, read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(old[l18](_1.val_ref).f$rest.enum_Some), write) + assert acc(old[l18](_1.val_ref).f$rest, read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(old[l18](_1.val_ref).f$rest), write) + // drop Acc(_9.val_ref, write) (Acc(_9.val_ref, write)) + // restored (in branch merge): Acc(_9.val_ref, write) (Acc(_9.val_ref, write)) + // drop Acc(old[l14](_12.val_ref), write) (Acc(old[l14](_12.val_ref), write)) + // drop Acc(_11.val_ref, write) (Acc(_11.val_ref, write)) + // restored (in branch merge): Acc(_11.val_ref, write) (Acc(_11.val_ref, write)) + // drop Acc(_12.val_ref, write) (Acc(_12.val_ref, write)) + // restored (in branch merge): Acc(_12.val_ref, write) (Acc(_12.val_ref, write)) + } + if (__t1 && (__t1 && (__t1 && (__t8 && __t8)))) { + // expire loan L0 + // transfer perm old[l4](_8.val_ref) --> old[l3](_8.val_ref) // unchecked: false + // transfer perm old[l3](_8.val_ref) --> _1.val_ref.f$current // unchecked: false + // drop Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + // restored (in branch merge): Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + // drop Acc(_7.val_ref, write) (Acc(_7.val_ref, write)) + // restored (in branch merge): Acc(_7.val_ref, write) (Acc(_7.val_ref, write)) + } + // Fold predicates for &mut args + // transfer perm _1.val_ref --> old[pre](_1.val_ref) // unchecked: false + fold acc(struct$m_Route(old[pre](_1.val_ref)), write) + // obtain acc(struct$m_Route(old[pre](_1.val_ref)), write) + } + // transfer perm old[l18](_0.val_ref) --> _0.val_ref // unchecked: false + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l19 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + // obtain acc(struct$m_Point(_0.val_ref), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(struct$m_Point(_0.val_ref), write) in + (unfolding acc(i32(_0.val_ref.f$x), write) in + _0.val_ref.f$x.val_int == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + (unfolding acc(i32(_2), write) in _2.val_int))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(_0.val_ref, write) && acc(struct$m_Point(_0.val_ref), write) + // Exhale permissions of postcondition (3/3) + exhale acc(DeadBorrowToken$(-1), write) && + acc(struct$m_Point(old[l19](_0.val_ref)), write) --* + acc(struct$m_Route(old[pre](_1.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref))) == + old[pre](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) == + old[lhs]((unfolding acc(struct$m_Point(old[l19](_0.val_ref)), write) in + (unfolding acc(i32(old[l19](_0.val_ref).f$x), write) in + old[l19](_0.val_ref).f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)))) || + (!(_0_quant_0 == + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[pre](_1.val_ref)), + _0_quant_0) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + _0_quant_0))))))) + goto end_of_method + + label l1 + // ========== l6 ========== + // MIR edge bb2 --> bb4 + // ========== bb4 ========== + __t4 := true + // [mir] falseEdge -> [real: bb6, imaginary: bb3] + // ========== bb6 ========== + __t5 := true + // [mir] StorageLive(_11) + // [mir] _11 = &mut (*((((*_1).1: std::option::Option>) as Some).0: std::boxed::Box)) + _11 := builtin$havoc_ref() + inhale acc(_11.val_ref, write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), write) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), write) + _11.val_ref := _1.val_ref.f$rest.enum_Some.f$0.val_ref + label l8 + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = &mut (*_11) + _13 := builtin$havoc_ref() + inhale acc(_13.val_ref, write) + _13.val_ref := _11.val_ref + label l9 + // [mir] StorageLive(_14) + // [mir] StorageLive(_15) + // [mir] _15 = _2 + _15 := builtin$havoc_int() + _15 := _2.val_int + label l10 + // [mir] _16 = CheckedSub(_15, const 1_i32) + _16 := builtin$havoc_ref() + inhale acc(_16.tuple_0, write) + inhale acc(_16.tuple_0.val_int, write) + inhale acc(_16.tuple_1, write) + inhale acc(_16.tuple_1.val_bool, write) + _16.tuple_0.val_int := _15 - 1 + _16.tuple_1.val_bool := false + // [mir] assert(!move (_16.1: bool), "attempt to compute `{} - {}`, which would overflow", move _15, const 1_i32) -> [success: bb7, unwind: bb10] + __t12 := _16.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t12 + // ========== bb7 ========== + __t6 := true + // [mir] _14 = move (_16.0: i32) + _14 := _16.tuple_0 + label l11 + // [mir] StorageDead(_15) + // [mir] _12 = borrow_nth(move _13, move _14) -> [return: bb8, unwind: bb10] + label l12 + assert 0 <= _14.val_int && + _14.val_int < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref)) + assert true + fold acc(i32(_14), write) + exhale acc(_13.val_ref, write) && + (acc(struct$m_Route(_13.val_ref), write) && acc(i32(_14), write)) + _12 := builtin$havoc_ref() + inhale acc(_12.val_ref, write) && acc(struct$m_Point(_12.val_ref), write) + inhale true + inhale (unfolding acc(struct$m_Point(_12.val_ref), write) in + (unfolding acc(i32(_12.val_ref.f$x), write) in + _12.val_ref.f$x.val_int == + old[l12](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_13.val_ref), + _14.val_int)))) + label l13 + // ========== bb8 ========== + __t7 := true + // [mir] _9 = &mut (*_12) + _9 := builtin$havoc_ref() + inhale acc(_9.val_ref, write) + _9.val_ref := _12.val_ref + label l14 + // [mir] StorageDead(_14) + // [mir] StorageDead(_13) + // [mir] StorageDead(_12) + // [mir] StorageDead(_11) + // [mir] _4 = &mut (*_9) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + _4.val_ref := _9.val_ref + label l15 + // [mir] StorageDead(_9) + // [mir] goto -> bb9 + // ========== l21 ========== + // drop Acc(_1.val_ref.f$rest[enum_Some], write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_1.val_ref.f$rest[enum_Some].f$0, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_1.val_ref.f$rest.discriminant, write) (Pred(_1.val_ref.f$rest[enum_Some].f$0.val_ref, write)) + // drop Acc(_9.val_ref, write) (Acc(_9.val_ref, write)) + // drop Acc(_10.val_int, write) (Acc(_10.val_int, write)) + // drop Acc(_11.val_ref, write) (Acc(_11.val_ref, write)) + // drop Acc(_15.val_int, write) (Acc(_15.val_int, write)) + // drop Acc(_16.tuple_0, write) (Acc(_16.tuple_0, write)) + // drop Acc(_16.tuple_1.val_bool, write) (Acc(_16.tuple_1.val_bool, write)) + // drop Acc(_12.val_ref, write) (Acc(_12.val_ref, write)) + // drop Pred(_1.val_ref.f$current, write) (Pred(_1.val_ref.f$current, write)) + // drop Acc(_16.tuple_1, write) (Acc(_16.tuple_1, write)) + goto bb2 + + label l2 + // ========== l7 ========== + // MIR edge bb2 --> bb3 + // ========== bb3 ========== + __t9 := true + // [mir] StorageLive(_17) + // [mir] _17 = core::panicking::panic(const "internal error: entered unreachable code") -> bb10 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label return + // ========== bb5 ========== + __t3 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--get_nth_x-Both.vpr b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--get_nth_x-Both.vpr new file mode 100644 index 00000000..b4574ffd --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--get_nth_x-Both.vpr @@ -0,0 +1,766 @@ +domain MirrorDomain { + + function mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Route, _r_0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Route :: + { Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int + requires true + requires true + ensures result > 0 + ensures [result == + mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + 1 : + 1 + + f_length__$TY$__Snap$struct$m_Route$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)))) +} + +function m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.enum_Some.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self.enum_Some.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Route(self.val_ref), write) +} + +method m_get_nth_x() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Int + var __t12: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Int + var _5: Int + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Int + var _10: Ref + + label start + // ========== start ========== + // Def path: "routes::get_nth_x" + // Span: tests/verify/pass/paper-examples/routes.rs:33:1: 40:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Route(_1.val_ref), read$()) && acc(i32(_2), write)) + inhale 0 <= (unfolding acc(i32(_2), write) in _2.val_int) && + (unfolding acc(i32(_2), write) in _2.val_int) < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_int() + unfold acc(i32(_2), write) + _4 := _2.val_int + label l0 + // [mir] _3 = Eq(move _4, const 0_i32) + _3 := builtin$havoc_ref() + inhale acc(_3.val_bool, write) + _3.val_bool := _4 == 0 + // [mir] StorageDead(_4) + // [mir] switchInt(move _3) -> [0: bb2, otherwise: bb1] + __t10 := _3.val_bool + if (__t10) { + goto bb1 + } + goto bb0 + + label bb0 + // ========== l1 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] FakeRead(ForMatchedPlace(None), ((*_1).1: std::option::Option>)) + // [mir] _5 = discriminant(((*_1).1: std::option::Option>)) + _5 := builtin$havoc_int() + unfold acc(struct$m_Route(_1.val_ref), read$()) + _5 := m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(_1.val_ref.f$rest) + // [mir] switchInt(move _5) -> [0: bb3, 1: bb4, otherwise: bb5] + __t11 := _5 + // Ignore default target bb5, as the compiler marked it as unreachable. + if (__t11 == 0) { + goto l2 + } + goto l1 + + label bb1 + // ========== l2 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t1 := true + // [mir] _0 = (((*_1).0: Point).0: i32) + _0 := builtin$havoc_ref() + inhale acc(_0.val_int, write) + unfold acc(struct$m_Route(_1.val_ref), read$()) + unfold acc(struct$m_Point(_1.val_ref.f$current), read$()) + unfold acc(i32(_1.val_ref.f$current.f$x), read$()) + _0.val_int := _1.val_ref.f$current.f$x.val_int + label l3 + // [mir] goto -> bb9 + goto bb2 + + label bb2 + // ========== bb9 ========== + __t8 := true + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l14 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref.f$current.f$x), read$()) + fold acc(struct$m_Point(_1.val_ref.f$current), read$()) + fold acc(struct$m_Route(_1.val_ref), read$()) + // obtain acc(struct$m_Route(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0), write) + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Route(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label l1 + // ========== l4 ========== + // MIR edge bb2 --> bb4 + // ========== bb4 ========== + __t4 := true + // [mir] falseEdge -> [real: bb6, imaginary: bb3] + // ========== bb6 ========== + __t5 := true + // [mir] StorageLive(_6) + // [mir] _6 = &(*((((*_1).1: std::option::Option>) as Some).0: std::boxed::Box)) + _6 := builtin$havoc_ref() + inhale acc(_6.val_ref, write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + _6.val_ref := _1.val_ref.f$rest.enum_Some.f$0.val_ref + inhale acc(struct$m_Route(_6.val_ref), read$()) + label l6 + // [mir] StorageLive(_7) + // [mir] _7 = &(*_6) + _7 := builtin$havoc_ref() + inhale acc(_7.val_ref, write) + _7.val_ref := _6.val_ref + inhale acc(struct$m_Route(_7.val_ref), read$()) + label l7 + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = _2 + _9 := builtin$havoc_int() + _9 := _2.val_int + label l8 + // [mir] _10 = CheckedSub(_9, const 1_i32) + _10 := builtin$havoc_ref() + inhale acc(_10.tuple_0, write) + inhale acc(_10.tuple_0.val_int, write) + inhale acc(_10.tuple_1, write) + inhale acc(_10.tuple_1.val_bool, write) + _10.tuple_0.val_int := _9 - 1 + _10.tuple_1.val_bool := false + // [mir] assert(!move (_10.1: bool), "attempt to compute `{} - {}`, which would overflow", move _9, const 1_i32) -> [success: bb7, unwind: bb10] + __t12 := _10.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t12 + // ========== bb7 ========== + __t6 := true + // [mir] _8 = move (_10.0: i32) + _8 := _10.tuple_0 + label l9 + // [mir] StorageDead(_9) + // [mir] _0 = get_nth_x(move _7, move _8) -> [return: bb8, unwind: bb10] + label l10 + assert 0 <= _8.val_int && + _8.val_int < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_7.val_ref)) + fold acc(i32(_8), write) + exhale acc(_7.val_ref, write) && acc(i32(_8), write) + _0 := builtin$havoc_ref() + inhale acc(i32(_0), write) + // transfer perm _7.val_ref --> old[l10](_7.val_ref) // unchecked: true + label l11 + // ========== l12 ========== + // MIR edge bb7 --> bb8 + // Expire borrows + // expire_borrows ReborrowingDAG(L5,L4,L3,) + + if (__t5 && __t6) { + // expire loan L4 + // transfer perm old[l10](_7.val_ref) --> old[l7](_7.val_ref) // unchecked: false + exhale acc(struct$m_Route(old[l7](_7.val_ref)), read$()) + } + if (__t5 && (__t5 && __t6)) { + // expire loan L3 + exhale acc(struct$m_Route(_6.val_ref), read$()) + } + // ========== bb8 ========== + __t7 := true + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] StorageDead(_6) + // [mir] goto -> bb9 + // ========== l13 ========== + fold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(i32(_0), write) + // drop Acc(_5.val_int, write) (Acc(_5.val_int, write)) + // drop Acc(_10.tuple_1.val_bool, write) (Acc(_10.tuple_1.val_bool, write)) + // drop Acc(_6.val_ref, write) (Acc(_6.val_ref, write)) + unfold acc(struct$m_Point(_1.val_ref.f$current), read$()) + unfold acc(i32(_1.val_ref.f$current.f$x), read$()) + // drop Acc(_9.val_int, write) (Acc(_9.val_int, write)) + // drop Acc(_10.tuple_0, write) (Acc(_10.tuple_0, write)) + // drop Acc(_10.tuple_1, write) (Acc(_10.tuple_1, write)) + goto bb2 + + label l2 + // ========== l5 ========== + // MIR edge bb2 --> bb3 + // ========== bb3 ========== + __t9 := true + // [mir] StorageLive(_11) + // [mir] _11 = core::panicking::panic(const "internal error: entered unreachable code") -> bb10 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label return + // ========== bb5 ========== + __t3 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--length-Both.vpr b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--length-Both.vpr new file mode 100644 index 00000000..6b024b81 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--length-Both.vpr @@ -0,0 +1,672 @@ +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$discriminant_range { + (forall self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) == + 0 + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Route, _r_0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0), + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) } + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_l_0) == + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Route :: + { cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0) } + discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + 1) + } + + axiom Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Route :: + { Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) } + Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Ref): Int + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self)) == + result +{ + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) +{ + ((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_((unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) in + (unfolding acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.enum_Some.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self.enum_Some.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self.enum_Some), write))) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Route(self.val_ref), write) +} + +method m_length() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Int + var __t9: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Int + var _4: Ref + var _5: Ref + var _6: Ref + + label start + // ========== start ========== + // Def path: "routes::length" + // Span: tests/verify/pass/paper-examples/routes.rs:24:1: 29:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(struct$m_Route(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] FakeRead(ForMatchedPlace(None), ((*_1).1: std::option::Option>)) + // [mir] _3 = discriminant(((*_1).1: std::option::Option>)) + _3 := builtin$havoc_int() + unfold acc(struct$m_Route(_1.val_ref), read$()) + _3 := m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$discriminant$$__$TY$__m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(_1.val_ref.f$rest) + // [mir] switchInt(move _3) -> [0: bb1, 1: bb2, otherwise: bb3] + __t8 := _3 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t8 == 0) { + goto l0 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb1] + // ========== bb4 ========== + __t3 := true + // [mir] StorageLive(_4) + // [mir] _4 = &(*((((*_1).1: std::option::Option>) as Some).0: std::boxed::Box)) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + _4.val_ref := _1.val_ref.f$rest.enum_Some.f$0.val_ref + inhale acc(struct$m_Route(_4.val_ref), read$()) + label l2 + // [mir] StorageLive(_5) + // [mir] _5 = &(*_4) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _4.val_ref + inhale acc(struct$m_Route(_5.val_ref), read$()) + label l3 + // [mir] _2 = length(move _5) -> [return: bb5, unwind: bb8] + label l4 + exhale acc(_5.val_ref, write) + _2 := builtin$havoc_ref() + inhale acc(i32(_2), write) + // transfer perm _5.val_ref --> old[l4](_5.val_ref) // unchecked: true + inhale (unfolding acc(i32(_2), write) in _2.val_int > 0) + label l5 + // ========== l6 ========== + // MIR edge bb4 --> bb5 + // Expire borrows + // expire_borrows ReborrowingDAG(L4,L3,L5,) + + if (__t3 && __t3) { + // expire loan L3 + // transfer perm old[l4](_5.val_ref) --> old[l3](_5.val_ref) // unchecked: false + exhale acc(struct$m_Route(old[l3](_5.val_ref)), read$()) + } + if (__t3 && (__t3 && __t3)) { + // expire loan L5 + exhale acc(struct$m_Route(_4.val_ref), read$()) + } + // ========== bb5 ========== + __t4 := true + // [mir] StorageDead(_5) + // [mir] StorageDead(_4) + // [mir] goto -> bb6 + // ========== l8 ========== + fold acc(struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global(_1.val_ref.f$rest.enum_Some.f$0), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_Some(_1.val_ref.f$rest.enum_Some), read$()) + fold acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1.val_ref.f$rest), read$()) + unfold acc(i32(_2), write) + // drop Acc(_4.val_ref, write) (Acc(_4.val_ref, write)) + goto l1 + + label l0 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t5 := true + // [mir] _2 = const 0_i32 + _2 := builtin$havoc_ref() + inhale acc(_2.val_int, write) + _2.val_int := 0 + // [mir] goto -> bb6 + goto l1 + + label l1 + // ========== bb6 ========== + __t6 := true + // [mir] _6 = CheckedAdd(const 1_i32, _2) + _6 := builtin$havoc_ref() + inhale acc(_6.tuple_0, write) + inhale acc(_6.tuple_0.val_int, write) + inhale acc(_6.tuple_1, write) + inhale acc(_6.tuple_1.val_bool, write) + _6.tuple_0.val_int := 1 + _2.val_int + _6.tuple_1.val_bool := false + // [mir] assert(!move (_6.1: bool), "attempt to compute `{} + {}`, which would overflow", const 1_i32, move _2) -> [success: bb7, unwind: bb8] + __t9 := _6.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t9 + // ========== bb7 ========== + __t7 := true + // [mir] _0 = move (_6.0: i32) + _0 := _6.tuple_0 + label l7 + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l9 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_Route(_1.val_ref), read$()) + // obtain acc(struct$m_Route(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0), write) + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(i32(_0), write) in _0.val_int > 0) + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Route(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--main-Both.vpr new file mode 100644 index 00000000..a2a4f46c --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--main-Both.vpr @@ -0,0 +1,292 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + + label start + // ========== start ========== + // Def path: "routes::main" + // Span: tests/verify/pass/paper-examples/routes.rs:78:1: 78:13 (#0) + __t0 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l1 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_nth_x-Both.vpr b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_nth_x-Both.vpr new file mode 100644 index 00000000..5e6b8a0d --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_nth_x-Both.vpr @@ -0,0 +1,660 @@ +domain MirrorDomain { + + function mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + + function mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int +} + +domain Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ { + + function discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Int + + function Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(self: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route +} + +domain Snap$struct$m_Point { + + function cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0: Int, + _1: Int): Snap$struct$m_Point + + function Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + function Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self: Snap$struct$m_Point): Int + + axiom Snap$struct$m_Point$0$injectivity { + (forall _l_0: Int, _l_1: Int, _r_0: Int, _r_1: Int :: + { cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Point$0$field$f$x$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Point$0$field$f$x$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Point$0$field$f$y$axiom { + (forall _0: Int, _1: Int :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) } + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point(_0, + _1)) == + _1) + } + + axiom Snap$struct$m_Point$0$field$f$y$valid { + (forall self: Snap$struct$m_Point :: + { Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) } + -2147483648 <= + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) && + Snap$struct$m_Point$0$field$f$y__$TY$__Snap$struct$m_Point$$int$(self) <= + 2147483647) + } +} + +domain Snap$struct$m_Route { + + function cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0: Snap$struct$m_Point, + _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_): Snap$struct$m_Route + + function Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(self: Snap$struct$m_Route): Snap$struct$m_Point + + function Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Snap$struct$m_Route): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + + axiom Snap$struct$m_Route$0$injectivity { + (forall _l_0: Snap$struct$m_Point, _l_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_, + _r_0: Snap$struct$m_Point, _r_1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Route$0$field$f$current$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Route$0$field$f$rest$axiom { + (forall _0: Snap$struct$m_Point, _1: Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ :: + { Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) } + Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$current: Ref + +field f$rest: Ref + +field f$x: Ref + +field f$y: Ref + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1: Snap$struct$m_Route, + _2: Int): Int + requires true + requires 0 <= _2 && _2 < f_length__$TY$__Snap$struct$m_Route$$int$(_1) + ensures true + ensures [result == + mirror_simple$f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(_1, _2), + true] +{ + (_2 != 0 ? + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)), + _2 - 1)) : + Snap$struct$m_Point$0$field$f$x__$TY$__Snap$struct$m_Point$$int$(Snap$struct$m_Route$0$field$f$current__$TY$__Snap$struct$m_Route$Snap$struct$m_Point(_1))) +} + +function f_length__$TY$__Snap$struct$m_Route$$int$(_1: Snap$struct$m_Route): Int + requires true + requires true + ensures result > 0 + ensures [result == + mirror_simple$f_length__$TY$__Snap$struct$m_Route$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$$int$(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)) == + 0 ? + 1 : + 1 + + f_length__$TY$__Snap$struct$m_Route$$int$(Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$1$field$f$0__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route(Snap$struct$m_Route$0$field$f$rest__$TY$__Snap$struct$m_Route$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(_1)))) +} + +function snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref): Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_ + requires acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self), read$()) + + +function snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self: Ref): Snap$struct$m_Point + requires acc(struct$m_Point(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Point$$int$$$int$$Snap$struct$m_Point((unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$x), read$()) in self.f$x.val_int)), (unfolding acc(struct$m_Point(self), read$()) in + (unfolding acc(i32(self.f$y), read$()) in self.f$y.val_int))) +} + +function snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(self: Ref): Snap$struct$m_Route + requires acc(struct$m_Route(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Route$Snap$struct$m_Point$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$struct$m_Route((unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$struct$m_Point$struct$m_Point$Snap$struct$m_Point(self.f$current)), + (unfolding acc(struct$m_Route(self), read$()) in + snap$__$TY$__Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_$Snap$m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self: Ref) + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate struct$m_Route(self: Ref) { + acc(self.f$current, write) && + (acc(struct$m_Point(self.f$current), write) && + (acc(self.f$rest, write) && + acc(m_std$$option$$Option$_beg_$struct$m_std$$boxed$$Box$struct$m_Route$struct$m_std$$alloc$$Global$_end_(self.f$rest), write))) +} + +predicate tuple0$(self: Ref) { + true +} + +method m_shift_nth_x() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var _old$l3$0: Ref + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Ref + + label start + // ========== start ========== + // Def path: "routes::shift_nth_x" + // Span: tests/verify/pass/paper-examples/routes.rs:73:1: 76:2 (#0) + __t0 := false + __t1 := false + __t2 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Route(_1.val_ref), write) && + (acc(i32(_2), write) && acc(i32(_3), write))) + inhale true + inhale 0 <= (unfolding acc(i32(_2), write) in _2.val_int) && + (unfolding acc(i32(_2), write) in _2.val_int) < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] _5 = &mut (*_1) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _1.val_ref + label l0 + // [mir] StorageLive(_6) + // [mir] _6 = _2 + _6 := builtin$havoc_ref() + inhale acc(_6.val_int, write) + unfold acc(i32(_2), write) + _6.val_int := _2.val_int + label l1 + // [mir] _4 = borrow_nth(move _5, move _6) -> [return: bb1, unwind: bb3] + label l2 + assert 0 <= _6.val_int && + _6.val_int < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref)) + assert true + fold acc(i32(_6), write) + exhale acc(_5.val_ref, write) && + (acc(struct$m_Route(_5.val_ref), write) && acc(i32(_6), write)) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) && acc(struct$m_Point(_4.val_ref), write) + inhale true + inhale (unfolding acc(struct$m_Point(_4.val_ref), write) in + (unfolding acc(i32(_4.val_ref.f$x), write) in + _4.val_ref.f$x.val_int == + old[l2](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref), + _6.val_int)))) + label l3 + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_6) + // [mir] StorageDead(_5) + // [mir] FakeRead(ForLet(None), _4) + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] _8 = &mut (*_4) + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + _8.val_ref := _4.val_ref + label l4 + // [mir] StorageLive(_9) + // [mir] _9 = _3 + _9 := builtin$havoc_ref() + inhale acc(_9.val_int, write) + unfold acc(i32(_3), write) + _9.val_int := _3.val_int + label l5 + // [mir] _7 = shift_x(move _8, move _9) -> [return: bb2, unwind: bb3] + label l6 + assert true + fold acc(i32(_9), write) + exhale acc(_8.val_ref, write) && + (acc(struct$m_Point(_8.val_ref), write) && acc(i32(_9), write)) + _7 := builtin$havoc_ref() + inhale acc(struct$m_Point(old[l6](_8.val_ref)), write) + inhale acc(tuple0$(_7), write) + inhale true + inhale (unfolding acc(struct$m_Point(old[l6](_8.val_ref)), write) in + (unfolding acc(i32(old[l6](_8.val_ref).f$y), write) in + (unfolding acc(i32(old[l6](_8.val_ref).f$x), write) in + old[l6](_8.val_ref).f$x.val_int == + old[l6]((unfolding acc(struct$m_Point(_8.val_ref), write) in + (unfolding acc(i32(_8.val_ref.f$x), write) in + _8.val_ref.f$x.val_int))) + + old[l6](_9.val_int) && + old[l6](_8.val_ref).f$y.val_int == + old[l6]((unfolding acc(struct$m_Point(_8.val_ref), write) in + (unfolding acc(i32(_8.val_ref.f$y), write) in + _8.val_ref.f$y.val_int)))))) + label l7 + // ========== l8 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L5,L1,L6,L7,L0,) + + if (__t0 && (__t1 && __t1)) { + // expire loan L6 + _old$l3$0 := _4.val_ref + inhale acc(DeadBorrowToken$(6), write) && + acc(struct$m_Point(_old$l3$0), write) --* + acc(struct$m_Route(old[l2](_5.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref))) == + old[l2](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + old[l2](_6.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l3$0), write) in + (unfolding acc(i32(_old$l3$0.f$x), write) in _old$l3$0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)))) || + (!(_0_quant_0 == old[l2](_6.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + _0_quant_0) == + old[l2](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref), + _0_quant_0))))))) + inhale acc(DeadBorrowToken$(6), write) + apply acc(DeadBorrowToken$(6), write) && + acc(struct$m_Point(_old$l3$0), write) --* + acc(struct$m_Route(old[l2](_5.val_ref)), write) && + (f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref))) == + old[l2](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + old[l2](_6.val_int)) == + old[lhs]((unfolding acc(struct$m_Point(_old$l3$0), write) in + (unfolding acc(i32(_old$l3$0.f$x), write) in _old$l3$0.f$x.val_int))) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)))) || + (!(_0_quant_0 == old[l2](_6.val_int)) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(old[l2](_5.val_ref)), + _0_quant_0) == + old[l2](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_5.val_ref), + _0_quant_0))))))) + } + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_9) + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] _0 = const () + // [mir] StorageDead(_4) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l10 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(struct$m_Route(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0)) == + old[pre](f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref))) && + (f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0), + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + (unfolding acc(i32(_2), write) in _2.val_int))) + + old[pre]((unfolding acc(i32(_3), write) in _3.val_int)) && + (forall _0_quant_0: Int ::!(0 <= _0_quant_0) || + (!(_0_quant_0 < + f_length__$TY$__Snap$struct$m_Route$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0))) || + (!(_0_quant_0 == + old[pre]((unfolding acc(i32(_2), write) in _2.val_int))) ==> + f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_old$pre$0), + _0_quant_0) == + old[pre](f_get_nth_x__$TY$__Snap$struct$m_Route$$int$$$int$(snap$__$TY$__Snap$struct$m_Route$struct$m_Route$Snap$struct$m_Route(_1.val_ref), + _0_quant_0)))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Route(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_x-Both.vpr b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_x-Both.vpr new file mode 100644 index 00000000..c0fddee1 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/routes.rs/tests_verify_pass_paper-examples_routes_routes.rs_routes--shift_x-Both.vpr @@ -0,0 +1,377 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$x: Ref + +field f$y: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_Point(self: Ref) { + acc(self.f$x, write) && + (acc(i32(self.f$x), write) && + (acc(self.f$y, write) && acc(i32(self.f$y), write))) +} + +predicate tuple0$(self: Ref) { + true +} + +method m_shift_x() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Int + var _4: Int + var _5: Ref + + label start + // ========== start ========== + // Def path: "routes::shift_x" + // Span: tests/verify/pass/paper-examples/routes.rs:13:1: 15:2 (#0) + __t0 := false + __t1 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_Point(_1.val_ref), write) && acc(i32(_2), write)) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] _3 = ((*_1).0: i32) + _3 := builtin$havoc_int() + unfold acc(struct$m_Point(_1.val_ref), write) + unfold acc(i32(_1.val_ref.f$x), write) + _3 := _1.val_ref.f$x.val_int + label l0 + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_int() + unfold acc(i32(_2), write) + _4 := _2.val_int + label l1 + // [mir] _5 = CheckedAdd(_3, _4) + _5 := builtin$havoc_ref() + inhale acc(_5.tuple_0, write) + inhale acc(_5.tuple_0.val_int, write) + inhale acc(_5.tuple_1, write) + inhale acc(_5.tuple_1.val_bool, write) + _5.tuple_0.val_int := _3 + _4 + _5.tuple_1.val_bool := false + // [mir] assert(!move (_5.1: bool), "attempt to compute `{} + {}`, which would overflow", move _3, move _4) -> [success: bb1, unwind: bb2] + __t2 := _5.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t2 + // ========== bb1 ========== + __t1 := true + // [mir] ((*_1).0: i32) = move (_5.0: i32) + _1.val_ref.f$x := _5.tuple_0 + label l2 + // [mir] _0 = const () + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l4 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref.f$x), write) + fold acc(struct$m_Point(_1.val_ref), write) + // obtain acc(struct$m_Point(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (unfolding acc(struct$m_Point(_old$pre$0), write) in + (unfolding acc(i32(_old$pre$0.f$y), write) in + (unfolding acc(i32(_old$pre$0.f$x), write) in + _old$pre$0.f$x.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$x), write) in + _1.val_ref.f$x.val_int))) + + old[pre]((unfolding acc(i32(_2), write) in _2.val_int)) && + _old$pre$0.f$y.val_int == + old[pre]((unfolding acc(struct$m_Point(_1.val_ref), write) in + (unfolding acc(i32(_1.val_ref.f$y), write) in + _1.val_ref.f$y.val_int)))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_Point(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--main-Both.vpr new file mode 100644 index 00000000..10996f9d --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--main-Both.vpr @@ -0,0 +1,292 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + + label start + // ========== start ========== + // Def path: "selection_sort::main" + // Span: tests/verify/pass/arrays/selection_sort.rs:7:1: 7:13 (#0) + __t0 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l1 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--selection_sort-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--selection_sort-Both.vpr new file mode 100644 index 00000000..ba40fbc5 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_arrays_selection_sort_selection_sort.rs_selection_sort--selection_sort-Both.vpr @@ -0,0 +1,2186 @@ +domain Snap$Array$10$i32 { + + function cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(data: Seq[Int]): Snap$Array$10$i32 + + function uncons$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$Seq$$int$(array: Snap$Array$10$i32): Seq[Int] + + function read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(arr: Snap$Array$10$i32, + idx: Int): Int + + axiom Snap$Array$10$i32$injectivity { + (forall data: Seq[Int] :: + { cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(data) } + uncons$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$Seq$$int$(cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(data)) == + data) + } + + axiom Snap$Array$10$i32$surjectivity { + (forall data: Snap$Array$10$i32 :: + { uncons$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$Seq$$int$(data) } + cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(uncons$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$Seq$$int$(data)) == + data) + } + + axiom Snap$Array$10$i32$extensionality { + (forall _l_data: Seq[Int], _r_data: Seq[Int] :: + { cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(_l_data), + cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(_r_data) } + _l_data == _r_data ==> + cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(_l_data) == + cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(_r_data)) + } + + axiom Array$10$i32$read_indices { + (forall data: Seq[Int], idx: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(data), + idx) } + { data[idx] } + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(data), + idx) == + data[idx]) + } + + axiom Snap$Array$10$i32$valid { + (forall self: Snap$Array$10$i32, idx: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(self, idx) } + -2147483648 <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(self, idx) && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(self, idx) <= + 2147483647) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function Slice$len__$TY$__i32$Slice$i32$$int$(self: Ref): Int + requires acc(Slice$i32(self), read$()) + ensures result >= 0 + ensures result <= 18446744073709551615 + + +function lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(self: Ref, + idx: Int): Int + requires acc(Array$10$i32(self), read$()) + requires 0 <= idx + requires idx < 10 + + +function lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(self: Ref, idx: Int): Int + requires acc(Slice$i32(self), read$()) + requires 0 <= idx + requires idx < Slice$len__$TY$__i32$Slice$i32$$int$(self) + + +function seq_collect$Array$10$i32$__$TY$__Array$10$i32$$int$$Seq$$int$(self: Ref, + start: Int): Seq[Int] + requires acc(Array$10$i32(self), read$()) + requires 0 <= start + ensures start >= 10 ==> result == Seq[Int]() + ensures start < 10 ==> |result| == 10 - start + ensures start < 10 ==> + result[0] == + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(self, start) + ensures start < 10 ==> + (forall i: Int, j: Int :: + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(self, i), + result[j] } + start <= i && i < 10 && (0 <= j && j < 10 - start && i == j + start) ==> + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(self, i) == + result[j]) +{ + (start >= 10 ? + Seq[Int]() : + Seq(lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(self, start)) ++ + seq_collect$Array$10$i32$__$TY$__Array$10$i32$$int$$Seq$$int$(self, start + + 1)) +} + +function snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(self: Ref): Snap$Array$10$i32 + requires acc(Array$10$i32(self), read$()) + ensures (forall i: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(result, + i) } + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(self, i) } + 0 <= i && i < 10 ==> + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(result, i) == + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(self, i)) +{ + cons$Snap$Array$10$i32$__$TY$__Seq$$int$$Snap$Array$10$i32(seq_collect$Array$10$i32$__$TY$__Array$10$i32$$int$$Seq$$int$(self, + 0)) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate Array$10$i32(self: Ref) + +predicate DeadBorrowToken$(borrow: Int) + +predicate Slice$i32(self: Ref) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate tuple0$(self: Ref) { + true +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_selection_sort() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var __t31: Bool + var __t32: Bool + var __t33: Bool + var __t34: Bool + var __t35: Bool + var __t36: Bool + var __t37: Bool + var __t38: Bool + var __t39: Bool + var __t40: Bool + var __t41: Bool + var __t42: Bool + var __t43: Bool + var __t44: Bool + var __t45: Bool + var __t46: Bool + var __t47: Bool + var __t48: Bool + var __t49: Bool + var __t50: Bool + var __t51: Bool + var __t52: Bool + var __t53: Bool + var __t54: Bool + var _preserve$0: Ref + var __t55: Bool + var __t56: Bool + var __t57: Bool + var __t58: Bool + var __t59: Bool + var __t60: Bool + var __t61: Bool + var __t62: Bool + var __t63: Ref + var __t64: Bool + var __t65: Ref + var __t66: Bool + var __t67: Bool + var __t68: Bool + var __t69: Bool + var __t70: Bool + var __t71: Ref + var __t72: Bool + var __t73: Ref + var __t74: Bool + var __t75: Ref + var __t76: Bool + var __t77: Ref + var __t78: Bool + var __t79: Bool + var __t80: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _5: Ref + var _6: Int + var _7: Int + var _8: Ref + var _9: Ref + var _11: Ref + var _15: Ref + var _20: Ref + var _25: Ref + var _29: Ref + var _30: Ref + var _31: Int + var _32: Ref + var _34: Ref + var _35: Int + var _36: Int + var _37: Ref + var _38: Ref + var _40: Ref + var _44: Ref + var _49: Ref + var _54: Ref + var _59: Ref + var _64: Ref + var _69: Ref + var _75: Ref + var _82: Ref + var _83: Int + var _84: Int + var _85: Int + var _86: Ref + var _87: Int + var _88: Int + var _89: Int + var _90: Ref + var _91: Ref + var _92: Ref + var _96: Int + var _97: Int + var _98: Int + var _99: Ref + var _100: Int + var _101: Int + var _102: Int + var _103: Ref + var _104: Ref + var _105: Int + var _106: Int + var _107: Ref + var _108: Ref + var _109: Int + var _110: Int + var _111: Ref + var _112: Ref + + label start + // ========== start ========== + // Def path: "selection_sort::selection_sort" + // Span: tests/verify/pass/arrays/selection_sort.rs:13:1: 73:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + __t21 := false + __t22 := false + __t23 := false + __t24 := false + __t25 := false + __t26 := false + __t27 := false + __t28 := false + __t29 := false + __t30 := false + __t31 := false + __t32 := false + __t33 := false + __t34 := false + __t35 := false + __t36 := false + __t37 := false + __t38 := false + __t39 := false + __t40 := false + __t41 := false + __t42 := false + __t43 := false + __t44 := false + __t45 := false + __t46 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(Array$10$i32(_1.val_ref), write) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] StorageLive(_3) + // [mir] _3 = const 0_usize + _3 := builtin$havoc_ref() + inhale acc(_3.val_int, write) + _3.val_int := 0 + // [mir] FakeRead(ForLet(None), _3) + // [mir] goto -> bb1 + // ========== loop1_start ========== + // ========== loop1_group1_bb1 ========== + // This is a loop head + __t1 := true + // [mir] falseUnwind -> [real: bb2, unwind: bb59] + // ========== loop1_group1_bb2 ========== + __t2 := true + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _3 + _6 := builtin$havoc_int() + _6 := _3.val_int + label l0 + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = &(*_1) + _9 := builtin$havoc_ref() + inhale acc(_9.val_ref, write) + _9.val_ref := _1.val_ref + exhale acc(Array$10$i32(_1.val_ref), write - read$()) + inhale acc(Array$10$i32(_9.val_ref), read$()) + label l1 + // [mir] _8 = move _9 as &[i32] (PointerCoercion(Unsize)) + label l2 + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + inhale acc(Slice$i32(_8.val_ref), read$()) + inhale Slice$len__$TY$__i32$Slice$i32$$int$(_8.val_ref) == 10 + inhale (forall i: Int :: + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_9.val_ref, + i) } + { lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_8.val_ref, i) } + 0 <= i && i < 10 ==> + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_9.val_ref, + i) == + lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_8.val_ref, i)) + // [mir] StorageDead(_9) + // [mir] _7 = core::slice::::len(move _8) -> [return: bb3, unwind: bb59] + label l3 + _7 := builtin$havoc_int() + _7 := Slice$len__$TY$__i32$Slice$i32$$int$(_8.val_ref) + // transfer perm _8.val_ref --> old[l3](_8.val_ref) // unchecked: false + // ========== l4 ========== + // MIR edge bb2 --> bb3 + // Expire borrows + // expire_borrows ReborrowingDAG(L30,L33,L0,) + + if (__t2 && (__t2 && __t2)) { + // expire loan L0 + exhale acc(Array$10$i32(_9.val_ref), read$()) + inhale acc(Array$10$i32(_1.val_ref), write - read$()) + } + // ========== loop1_group1_bb3 ========== + __t3 := true + // [mir] StorageDead(_8) + // [mir] _5 = Lt(move _6, move _7) + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := _6 < _7 + // [mir] StorageDead(_7) + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb58, otherwise: bb4] + __t47 := _5.val_bool + if (__t47) { + goto bb0 + } + goto return + + label bb0 + // ========== l6 ========== + // MIR edge bb3 --> bb4 + // ========== loop1_group2_bb4 ========== + __t4 := true + // [mir] StorageLive(_10) + // [mir] StorageLive(_11) + // [mir] _11 = const false + _11 := builtin$havoc_ref() + inhale acc(_11.val_bool, write) + _11.val_bool := false + // [mir] switchInt(move _11) -> [0: bb6, otherwise: bb5] + __t48 := _11.val_bool + // Ignore default target bb5, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb1) + // obtain acc(_1.val_ref, read) + fold acc(usize(_3), write) + // obtain acc(usize(_3), write) + // obtain acc(Array$10$i32(_1.val_ref), write) + assert 0 <= (unfolding acc(usize(_3), write) in _3.val_int) && + (unfolding acc(usize(_3), write) in _3.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + 0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_3), write) in _3.val_int)) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _1_quant_0) || + (_1_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0))))) && + (forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int)) || + (!((unfolding acc(usize(_3), write) in _3.val_int) <= _1_quant_0) || + (_1_quant_0 < 10 ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0)))))))) + assert true + exhale acc(_1.val_ref, read$()) && + (acc(usize(_3), write) && acc(Array$10$i32(_1.val_ref), write)) + _100 := builtin$havoc_int() + _101 := builtin$havoc_int() + _102 := builtin$havoc_int() + _103 := builtin$havoc_ref() + _104 := builtin$havoc_ref() + _105 := builtin$havoc_int() + _106 := builtin$havoc_int() + _107 := builtin$havoc_ref() + _108 := builtin$havoc_ref() + _109 := builtin$havoc_int() + _11 := builtin$havoc_ref() + _110 := builtin$havoc_int() + _111 := builtin$havoc_ref() + _112 := builtin$havoc_ref() + _15 := builtin$havoc_ref() + _2 := builtin$havoc_ref() + _20 := builtin$havoc_ref() + _25 := builtin$havoc_ref() + _29 := builtin$havoc_ref() + _3 := builtin$havoc_ref() + _30 := builtin$havoc_ref() + _31 := builtin$havoc_int() + _32 := builtin$havoc_ref() + _34 := builtin$havoc_ref() + _35 := builtin$havoc_int() + _36 := builtin$havoc_int() + _37 := builtin$havoc_ref() + _38 := builtin$havoc_ref() + _40 := builtin$havoc_ref() + _44 := builtin$havoc_ref() + _49 := builtin$havoc_ref() + _5 := builtin$havoc_ref() + _54 := builtin$havoc_ref() + _59 := builtin$havoc_ref() + _6 := builtin$havoc_int() + _64 := builtin$havoc_ref() + _69 := builtin$havoc_ref() + _7 := builtin$havoc_int() + _75 := builtin$havoc_ref() + _8 := builtin$havoc_ref() + _82 := builtin$havoc_ref() + _83 := builtin$havoc_int() + _84 := builtin$havoc_int() + _85 := builtin$havoc_int() + _86 := builtin$havoc_ref() + _87 := builtin$havoc_int() + _88 := builtin$havoc_int() + _89 := builtin$havoc_int() + _9 := builtin$havoc_ref() + _90 := builtin$havoc_ref() + _91 := builtin$havoc_ref() + _92 := builtin$havoc_ref() + _96 := builtin$havoc_int() + _97 := builtin$havoc_int() + _98 := builtin$havoc_int() + _99 := builtin$havoc_ref() + __t1 := builtin$havoc_bool() + __t10 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t13 := builtin$havoc_bool() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t19 := builtin$havoc_bool() + __t2 := builtin$havoc_bool() + __t20 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t31 := builtin$havoc_bool() + __t32 := builtin$havoc_bool() + __t33 := builtin$havoc_bool() + __t34 := builtin$havoc_bool() + __t35 := builtin$havoc_bool() + __t36 := builtin$havoc_bool() + __t37 := builtin$havoc_bool() + __t38 := builtin$havoc_bool() + __t39 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t40 := builtin$havoc_bool() + __t41 := builtin$havoc_bool() + __t42 := builtin$havoc_bool() + __t43 := builtin$havoc_bool() + __t44 := builtin$havoc_bool() + __t45 := builtin$havoc_bool() + __t49 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t50 := builtin$havoc_bool() + __t51 := builtin$havoc_bool() + __t52 := builtin$havoc_bool() + __t53 := builtin$havoc_bool() + __t54 := builtin$havoc_bool() + __t55 := builtin$havoc_bool() + __t56 := builtin$havoc_bool() + __t57 := builtin$havoc_bool() + __t58 := builtin$havoc_bool() + __t59 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + __t60 := builtin$havoc_bool() + __t61 := builtin$havoc_bool() + __t62 := builtin$havoc_bool() + __t63 := builtin$havoc_ref() + __t64 := builtin$havoc_bool() + __t65 := builtin$havoc_ref() + __t66 := builtin$havoc_bool() + __t67 := builtin$havoc_bool() + __t68 := builtin$havoc_bool() + __t69 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t70 := builtin$havoc_bool() + __t71 := builtin$havoc_ref() + __t72 := builtin$havoc_bool() + __t73 := builtin$havoc_ref() + __t74 := builtin$havoc_bool() + __t75 := builtin$havoc_ref() + __t76 := builtin$havoc_bool() + __t77 := builtin$havoc_ref() + __t78 := builtin$havoc_bool() + __t79 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t80 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + _preserve$0 := builtin$havoc_ref() + // ========== loop1_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb1 + inhale acc(_1.val_ref, read$()) && + (acc(usize(_3), write) && acc(Array$10$i32(_1.val_ref), write)) + inhale true + // ========== loop1_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb1 + inhale 0 <= (unfolding acc(usize(_3), write) in _3.val_int) && + (unfolding acc(usize(_3), write) in _3.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + 0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_3), write) in _3.val_int)) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _1_quant_0) || + (_1_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0))))) && + (forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int)) || + (!((unfolding acc(usize(_3), write) in _3.val_int) <= _1_quant_0) || + (_1_quant_0 < 10 ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0)))))))) + // ========== loop1_group3_bb6 ========== + __t5 := true + // [mir] _10 = const () + // [mir] goto -> bb7 + // ========== loop1_group3_bb7 ========== + __t6 := true + // [mir] StorageDead(_11) + // [mir] StorageDead(_10) + // [mir] StorageLive(_14) + // [mir] StorageLive(_15) + // [mir] _15 = const false + _15 := builtin$havoc_ref() + inhale acc(_15.val_bool, write) + _15.val_bool := false + // [mir] switchInt(move _15) -> [0: bb9, otherwise: bb8] + __t49 := _15.val_bool + // Ignore default target bb8, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_bb9 ========== + __t7 := true + // [mir] _14 = const () + // [mir] goto -> bb10 + // ========== loop1_group3_bb10 ========== + __t8 := true + // [mir] StorageDead(_15) + // [mir] StorageDead(_14) + // [mir] StorageLive(_19) + // [mir] StorageLive(_20) + // [mir] _20 = const false + _20 := builtin$havoc_ref() + inhale acc(_20.val_bool, write) + _20.val_bool := false + // [mir] switchInt(move _20) -> [0: bb12, otherwise: bb11] + __t50 := _20.val_bool + // Ignore default target bb11, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_bb12 ========== + __t9 := true + // [mir] _19 = const () + // [mir] goto -> bb13 + // ========== loop1_group3_bb13 ========== + __t10 := true + // [mir] StorageDead(_20) + // [mir] StorageDead(_19) + // [mir] StorageLive(_24) + // [mir] StorageLive(_25) + // [mir] _25 = const false + _25 := builtin$havoc_ref() + inhale acc(_25.val_bool, write) + _25.val_bool := false + // [mir] switchInt(move _25) -> [0: bb15, otherwise: bb14] + __t51 := _25.val_bool + // Ignore default target bb14, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_bb15 ========== + __t11 := true + // [mir] _24 = const () + // [mir] goto -> bb16 + // ========== loop1_group3_bb16 ========== + __t12 := true + // [mir] StorageDead(_25) + // [mir] StorageDead(_24) + // [mir] StorageLive(_29) + // [mir] _29 = _3 + _29 := builtin$havoc_ref() + inhale acc(_29.val_int, write) + unfold acc(usize(_3), write) + _29.val_int := _3.val_int + label l7 + // [mir] _2 = move _29 + _2 := _29 + label l8 + // [mir] StorageDead(_29) + // [mir] StorageLive(_30) + // [mir] StorageLive(_31) + // [mir] _31 = _3 + _31 := builtin$havoc_int() + _31 := _3.val_int + label l9 + // [mir] _32 = CheckedAdd(_31, const 1_usize) + _32 := builtin$havoc_ref() + inhale acc(_32.tuple_0, write) + inhale acc(_32.tuple_0.val_int, write) + inhale acc(_32.tuple_1, write) + inhale acc(_32.tuple_1.val_bool, write) + _32.tuple_0.val_int := _31 + 1 + _32.tuple_1.val_bool := false + // [mir] assert(!move (_32.1: bool), "attempt to compute `{} + {}`, which would overflow", move _31, const 1_usize) -> [success: bb17, unwind: bb59] + __t52 := _32.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t52 + // ========== loop1_group3_bb17 ========== + __t13 := true + // [mir] _30 = move (_32.0: usize) + _30 := _32.tuple_0 + label l10 + // [mir] StorageDead(_31) + // [mir] FakeRead(ForLet(None), _30) + // [mir] StorageLive(_33) + // [mir] goto -> bb18 + // ========== loop1_group3_loop18_start ========== + // ========== loop1_group3_loop18_group1_bb18 ========== + // This is a loop head + __t14 := true + // [mir] falseUnwind -> [real: bb19, unwind: bb59] + // ========== loop1_group3_loop18_group1_bb19 ========== + __t15 := true + // [mir] StorageLive(_34) + // [mir] StorageLive(_35) + // [mir] _35 = _30 + _35 := builtin$havoc_int() + _35 := _30.val_int + label l11 + // [mir] StorageLive(_36) + // [mir] StorageLive(_37) + // [mir] StorageLive(_38) + // [mir] _38 = &(*_1) + _38 := builtin$havoc_ref() + inhale acc(_38.val_ref, write) + _38.val_ref := _1.val_ref + exhale acc(Array$10$i32(_1.val_ref), write - read$()) + inhale acc(Array$10$i32(_38.val_ref), read$()) + label l12 + // [mir] _37 = move _38 as &[i32] (PointerCoercion(Unsize)) + label l13 + _37 := builtin$havoc_ref() + inhale acc(_37.val_ref, write) + inhale acc(Slice$i32(_37.val_ref), read$()) + inhale Slice$len__$TY$__i32$Slice$i32$$int$(_37.val_ref) == 10 + inhale (forall i: Int :: + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_38.val_ref, + i) } + { lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_37.val_ref, + i) } + 0 <= i && i < 10 ==> + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_38.val_ref, + i) == + lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_37.val_ref, i)) + // [mir] StorageDead(_38) + // [mir] _36 = core::slice::::len(move _37) -> [return: bb20, unwind: bb59] + label l14 + _36 := builtin$havoc_int() + _36 := Slice$len__$TY$__i32$Slice$i32$$int$(_37.val_ref) + // transfer perm _37.val_ref --> old[l14](_37.val_ref) // unchecked: false + // ========== l15 ========== + // MIR edge bb19 --> bb20 + // Expire borrows + // expire_borrows ReborrowingDAG(L32,L31,L8,) + + if (__t15 && (__t15 && __t15)) { + // expire loan L8 + exhale acc(Array$10$i32(_38.val_ref), read$()) + inhale acc(Array$10$i32(_1.val_ref), write - read$()) + } + // ========== loop1_group3_loop18_group1_bb20 ========== + __t16 := true + // [mir] StorageDead(_37) + // [mir] _34 = Lt(move _35, move _36) + _34 := builtin$havoc_ref() + inhale acc(_34.val_bool, write) + _34.val_bool := _35 < _36 + // [mir] StorageDead(_36) + // [mir] StorageDead(_35) + // [mir] switchInt(move _34) -> [0: bb52, otherwise: bb21] + __t53 := _34.val_bool + if (__t53) { + goto loop1_group1_bb1 + } + goto loop1_start + + label l4 + // ========== l23 ========== + // MIR edge bb47 --> bb49 + // ========== loop1_group3_loop18_group3_bb49 ========== + __t37 := true + // [mir] _81 = const () + // [mir] goto -> bb50 + goto loop1_group1_bb3 + + label l5 + // ========== l32 ========== + // MIR edge bb20 --> bb52 + // ========== l54 ========== + // drop Acc(_86.val_bool, write) (Acc(_86.val_bool, write)) + // drop Acc(__t63.val_int, write) (Acc(__t63.val_int, write)) + // drop Acc(_88.val_int, write) (Acc(_88.val_int, write)) + // drop Acc(_87.val_int, write) (Acc(_87.val_int, write)) + // drop Acc(_75.val_bool, write) (Acc(_75.val_bool, write)) + // drop Acc(_49.val_bool, write) (Acc(_49.val_bool, write)) + // drop Acc(_89.val_int, write) (Acc(_89.val_int, write)) + // drop Acc(_90.val_bool, write) (Acc(_90.val_bool, write)) + // drop Acc(_84.val_int, write) (Acc(_84.val_int, write)) + // drop Acc(_54.val_bool, write) (Acc(_54.val_bool, write)) + // drop Acc(_85.val_int, write) (Acc(_85.val_int, write)) + // drop Acc(_64.val_bool, write) (Acc(_64.val_bool, write)) + // drop Acc(_59.val_bool, write) (Acc(_59.val_bool, write)) + // drop Acc(_44.val_bool, write) (Acc(_44.val_bool, write)) + // drop Acc(_92.tuple_1.val_bool, write) (Acc(_92.tuple_1.val_bool, write)) + // drop Acc(_82.val_bool, write) (Acc(_82.val_bool, write)) + // drop Acc(__t65.val_int, write) (Acc(__t65.val_int, write)) + // drop Acc(_92.tuple_0, write) (Acc(_92.tuple_0, write)) + unfold acc(usize(_3), write) + // drop Acc(old[l30](_37.val_ref), write) (Acc(old[l30](_37.val_ref), write)) + // drop Acc(_69.val_bool, write) (Acc(_69.val_bool, write)) + // drop Acc(_83.val_int, write) (Acc(_83.val_int, write)) + // drop Pred(old[l30](_37.val_ref), read) (Pred(old[l30](_37.val_ref), read)) + // drop Acc(_92.tuple_1, write) (Acc(_92.tuple_1, write)) + goto l6 + + label l6 + // ========== loop1_group3_bb52 ========== + __t40 := true + // [mir] StorageLive(_94) + // [mir] _33 = const () + // [mir] StorageDead(_94) + // [mir] StorageDead(_34) + // [mir] StorageDead(_33) + // [mir] StorageLive(_96) + // [mir] StorageLive(_97) + // [mir] _97 = _3 + _97 := builtin$havoc_int() + _97 := _3.val_int + label l34 + // [mir] _98 = Len((*_1)) + assert acc(Array$10$i32(_1.val_ref), read$()) + _98 := builtin$havoc_int() + _98 := 10 + // [mir] _99 = Lt(_97, _98) + _99 := builtin$havoc_ref() + inhale acc(_99.val_bool, write) + _99.val_bool := _97 < _98 + // [mir] assert(move _99, "index out of bounds: the length is {} but the index is {}", move _98, _97) -> [success: bb53, unwind: bb59] + __t70 := _99.val_bool + // Rust assertion: "index out of bounds: the length is {} but the index is {}", move _98, _97 + assert __t70 + // ========== loop1_group3_bb53 ========== + __t41 := true + // [mir] _96 = (*_1)[_97] + __t71 := builtin$havoc_ref() + inhale acc(i32(__t71), write) + assert acc(Array$10$i32(_1.val_ref), read$()) + inhale lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + _97) == + (unfolding acc(i32(__t71), write) in __t71.val_int) + _96 := builtin$havoc_int() + unfold acc(i32(__t71), write) + _96 := __t71.val_int + label l35 + // [mir] FakeRead(ForLet(None), _96) + // [mir] StorageDead(_97) + // [mir] StorageLive(_100) + // [mir] StorageLive(_101) + // [mir] _101 = _2 + _101 := builtin$havoc_int() + _101 := _2.val_int + label l36 + // [mir] _102 = Len((*_1)) + assert acc(Array$10$i32(_1.val_ref), read$()) + _102 := builtin$havoc_int() + _102 := 10 + // [mir] _103 = Lt(_101, _102) + _103 := builtin$havoc_ref() + inhale acc(_103.val_bool, write) + _103.val_bool := _101 < _102 + // [mir] assert(move _103, "index out of bounds: the length is {} but the index is {}", move _102, _101) -> [success: bb54, unwind: bb59] + __t72 := _103.val_bool + // Rust assertion: "index out of bounds: the length is {} but the index is {}", move _102, _101 + assert __t72 + // ========== loop1_group3_bb54 ========== + __t42 := true + // [mir] _100 = (*_1)[_101] + __t73 := builtin$havoc_ref() + inhale acc(i32(__t73), write) + assert acc(Array$10$i32(_1.val_ref), read$()) + inhale lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + _101) == + (unfolding acc(i32(__t73), write) in __t73.val_int) + _100 := builtin$havoc_int() + unfold acc(i32(__t73), write) + _100 := __t73.val_int + label l37 + // [mir] FakeRead(ForLet(None), _100) + // [mir] StorageDead(_101) + // [mir] StorageLive(_104) + // [mir] _104 = _100 + _104 := builtin$havoc_ref() + inhale acc(_104.val_int, write) + _104.val_int := _100 + label l38 + // [mir] StorageLive(_105) + // [mir] _105 = _3 + _105 := builtin$havoc_int() + _105 := _3.val_int + label l39 + // [mir] _106 = Len((*_1)) + assert acc(Array$10$i32(_1.val_ref), read$()) + _106 := builtin$havoc_int() + _106 := 10 + // [mir] _107 = Lt(_105, _106) + _107 := builtin$havoc_ref() + inhale acc(_107.val_bool, write) + _107.val_bool := _105 < _106 + // [mir] assert(move _107, "index out of bounds: the length is {} but the index is {}", move _106, _105) -> [success: bb55, unwind: bb59] + __t74 := _107.val_bool + // Rust assertion: "index out of bounds: the length is {} but the index is {}", move _106, _105 + assert __t74 + // ========== loop1_group3_bb55 ========== + __t43 := true + // [mir] (*_1)[_105] = move _104 + label l40 + exhale acc(Array$10$i32(_1.val_ref), write) + inhale acc(Array$10$i32(_1.val_ref), write) + inhale (forall i: Int :: + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(old[l40](_1.val_ref), + i) } + 0 <= i && (i < 10 && !(i == old[l40](_105))) ==> + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + i) == + old[l40](lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + i))) + __t75 := _104 + label l41 + inhale lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + old[l40](_105)) == + __t75.val_int + // [mir] StorageDead(_104) + // [mir] StorageDead(_105) + // [mir] StorageLive(_108) + // [mir] _108 = _96 + _108 := builtin$havoc_ref() + inhale acc(_108.val_int, write) + _108.val_int := _96 + label l42 + // [mir] StorageLive(_109) + // [mir] _109 = _2 + _109 := builtin$havoc_int() + _109 := _2.val_int + label l43 + // [mir] _110 = Len((*_1)) + assert acc(Array$10$i32(_1.val_ref), read$()) + _110 := builtin$havoc_int() + _110 := 10 + // [mir] _111 = Lt(_109, _110) + _111 := builtin$havoc_ref() + inhale acc(_111.val_bool, write) + _111.val_bool := _109 < _110 + // [mir] assert(move _111, "index out of bounds: the length is {} but the index is {}", move _110, _109) -> [success: bb56, unwind: bb59] + __t76 := _111.val_bool + // Rust assertion: "index out of bounds: the length is {} but the index is {}", move _110, _109 + assert __t76 + // ========== loop1_group3_bb56 ========== + __t44 := true + // [mir] (*_1)[_109] = move _108 + label l44 + exhale acc(Array$10$i32(_1.val_ref), write) + inhale acc(Array$10$i32(_1.val_ref), write) + inhale (forall i: Int :: + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(old[l44](_1.val_ref), + i) } + 0 <= i && (i < 10 && !(i == old[l44](_109))) ==> + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + i) == + old[l44](lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + i))) + __t77 := _108 + label l45 + inhale lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + old[l44](_109)) == + __t77.val_int + // [mir] StorageDead(_108) + // [mir] StorageDead(_109) + // [mir] _112 = CheckedAdd(_3, const 1_usize) + _112 := builtin$havoc_ref() + inhale acc(_112.tuple_0, write) + inhale acc(_112.tuple_0.val_int, write) + inhale acc(_112.tuple_1, write) + inhale acc(_112.tuple_1.val_bool, write) + _112.tuple_0.val_int := _3.val_int + 1 + _112.tuple_1.val_bool := false + // [mir] assert(!move (_112.1: bool), "attempt to compute `{} + {}`, which would overflow", _3, const 1_usize) -> [success: bb57, unwind: bb59] + __t78 := _112.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t78 + // ========== loop1_group3_bb57 ========== + __t45 := true + // [mir] _3 = move (_112.0: usize) + _3 := _112.tuple_0 + label l46 + // [mir] _4 = const () + // [mir] StorageDead(_100) + // [mir] StorageDead(_96) + // [mir] StorageDead(_30) + // [mir] StorageDead(_5) + // [mir] goto -> bb1 + // ========== loop1_group4_bb1 ========== + // This is a loop head + __t1 := true + // [mir] falseUnwind -> [real: bb2, unwind: bb59] + // ========== loop1_group4_bb2 ========== + __t2 := true + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] _6 = _3 + _6 := builtin$havoc_int() + _6 := _3.val_int + label l47 + // [mir] StorageLive(_7) + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] _9 = &(*_1) + _9 := builtin$havoc_ref() + inhale acc(_9.val_ref, write) + _9.val_ref := _1.val_ref + exhale acc(Array$10$i32(_1.val_ref), write - read$()) + inhale acc(Array$10$i32(_9.val_ref), read$()) + label l48 + // [mir] _8 = move _9 as &[i32] (PointerCoercion(Unsize)) + label l49 + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + inhale acc(Slice$i32(_8.val_ref), read$()) + inhale Slice$len__$TY$__i32$Slice$i32$$int$(_8.val_ref) == 10 + inhale (forall i: Int :: + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_9.val_ref, + i) } + { lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_8.val_ref, i) } + 0 <= i && i < 10 ==> + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_9.val_ref, + i) == + lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_8.val_ref, i)) + // [mir] StorageDead(_9) + // [mir] _7 = core::slice::::len(move _8) -> [return: bb3, unwind: bb59] + label l50 + _7 := builtin$havoc_int() + _7 := Slice$len__$TY$__i32$Slice$i32$$int$(_8.val_ref) + // transfer perm _8.val_ref --> old[l50](_8.val_ref) // unchecked: false + // ========== l51 ========== + // MIR edge bb2 --> bb3 + // Expire borrows + // expire_borrows ReborrowingDAG(L30,L33,L0,) + + if (__t2 && (__t2 && __t2)) { + // expire loan L0 + exhale acc(Array$10$i32(_9.val_ref), read$()) + inhale acc(Array$10$i32(_1.val_ref), write - read$()) + } + // ========== loop1_group4_bb3 ========== + __t3 := true + // [mir] StorageDead(_8) + // [mir] _5 = Lt(move _6, move _7) + _5 := builtin$havoc_ref() + inhale acc(_5.val_bool, write) + _5.val_bool := _6 < _7 + // [mir] StorageDead(_7) + // [mir] StorageDead(_6) + // [mir] switchInt(move _5) -> [0: bb58, otherwise: bb4] + __t79 := _5.val_bool + if (__t79) { + goto loop1_inv_post_perm + } + goto loop1_group2_bb4 + + label loop1_group1_bb1 + // ========== l17 ========== + // MIR edge bb20 --> bb21 + // ========== loop1_group3_loop18_group2_bb21 ========== + __t17 := true + // [mir] StorageLive(_39) + // [mir] StorageLive(_40) + // [mir] _40 = const false + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + _40.val_bool := false + // [mir] switchInt(move _40) -> [0: bb23, otherwise: bb22] + __t54 := _40.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb18) + _preserve$0 := _1.val_ref + fold acc(usize(_2), write) + // obtain acc(usize(_2), write) + fold acc(usize(_30), write) + // obtain acc(usize(_30), write) + fold acc(usize(_3), write) + // obtain acc(usize(_3), read) + // obtain acc(_1.val_ref, read) + // obtain acc(Array$10$i32(_1.val_ref), read) + assert 0 <= (unfolding acc(usize(_3), write) in _3.val_int) && + (unfolding acc(usize(_3), write) in _3.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + 0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_3), write) in _3.val_int)) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _1_quant_0) || + (_1_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0))))) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int)) || + (!((unfolding acc(usize(_3), write) in _3.val_int) <= _1_quant_0) || + (_1_quant_0 < 10 ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0)))))) && + ((unfolding acc(usize(_3), write) in _3.val_int) < + (unfolding acc(usize(_30), write) in _30.val_int) && + (unfolding acc(usize(_30), write) in _30.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) <= + (unfolding acc(usize(_2), write) in _2.val_int) && + (unfolding acc(usize(_2), write) in _2.val_int) < 10 && + ((forall _0_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) } + 0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + ((unfolding acc(usize(_2), write) in _2.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_2), write) in _2.val_int))))) && + (forall _0_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) } + 0 <= _0_quant_0 ==> + !((unfolding acc(usize(_3), write) in _3.val_int) <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_30), write) in _30.val_int)) || + (_0_quant_0 < 10 ==> + (unfolding acc(usize(_2), write) in _2.val_int) < 10 && + (_0_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_2), write) in _2.val_int)) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0))))))))))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_2), write) && + (acc(usize(_30), write) && + (acc(usize(_3), read$()) && + (acc(_1.val_ref, read$()) && acc(Array$10$i32(_1.val_ref), read$())))) + _2 := builtin$havoc_ref() + _30 := builtin$havoc_ref() + _34 := builtin$havoc_ref() + _35 := builtin$havoc_int() + _36 := builtin$havoc_int() + _37 := builtin$havoc_ref() + _38 := builtin$havoc_ref() + _40 := builtin$havoc_ref() + _44 := builtin$havoc_ref() + _49 := builtin$havoc_ref() + _54 := builtin$havoc_ref() + _59 := builtin$havoc_ref() + _64 := builtin$havoc_ref() + _69 := builtin$havoc_ref() + _75 := builtin$havoc_ref() + _82 := builtin$havoc_ref() + _83 := builtin$havoc_int() + _84 := builtin$havoc_int() + _85 := builtin$havoc_int() + _86 := builtin$havoc_ref() + _87 := builtin$havoc_int() + _88 := builtin$havoc_int() + _89 := builtin$havoc_int() + _90 := builtin$havoc_ref() + _91 := builtin$havoc_ref() + _92 := builtin$havoc_ref() + __t14 := builtin$havoc_bool() + __t15 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_bool() + __t18 := builtin$havoc_bool() + __t19 := builtin$havoc_bool() + __t20 := builtin$havoc_bool() + __t21 := builtin$havoc_bool() + __t22 := builtin$havoc_bool() + __t23 := builtin$havoc_bool() + __t24 := builtin$havoc_bool() + __t25 := builtin$havoc_bool() + __t26 := builtin$havoc_bool() + __t27 := builtin$havoc_bool() + __t28 := builtin$havoc_bool() + __t29 := builtin$havoc_bool() + __t30 := builtin$havoc_bool() + __t31 := builtin$havoc_bool() + __t32 := builtin$havoc_bool() + __t33 := builtin$havoc_bool() + __t34 := builtin$havoc_bool() + __t35 := builtin$havoc_bool() + __t36 := builtin$havoc_bool() + __t37 := builtin$havoc_bool() + __t38 := builtin$havoc_bool() + __t39 := builtin$havoc_bool() + __t55 := builtin$havoc_bool() + __t56 := builtin$havoc_bool() + __t57 := builtin$havoc_bool() + __t58 := builtin$havoc_bool() + __t59 := builtin$havoc_bool() + __t60 := builtin$havoc_bool() + __t61 := builtin$havoc_bool() + __t62 := builtin$havoc_bool() + __t63 := builtin$havoc_ref() + __t64 := builtin$havoc_bool() + __t65 := builtin$havoc_ref() + __t66 := builtin$havoc_bool() + __t67 := builtin$havoc_bool() + __t68 := builtin$havoc_bool() + __t69 := builtin$havoc_bool() + // ========== loop1_group3_loop18_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb18 + inhale acc(usize(_2), write) && + (acc(usize(_30), write) && + (acc(usize(_3), read$()) && + (acc(_1.val_ref, read$()) && acc(Array$10$i32(_1.val_ref), read$())))) + inhale _preserve$0 == _1.val_ref + inhale true + // ========== loop1_group3_loop18_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb18 + inhale 0 <= (unfolding acc(usize(_3), write) in _3.val_int) && + (unfolding acc(usize(_3), write) in _3.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + 0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_3), write) in _3.val_int)) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _1_quant_0) || + (_1_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0))))) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int)) || + (!((unfolding acc(usize(_3), write) in _3.val_int) <= _1_quant_0) || + (_1_quant_0 < 10 ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0)))))) && + ((unfolding acc(usize(_3), write) in _3.val_int) < + (unfolding acc(usize(_30), write) in _30.val_int) && + (unfolding acc(usize(_30), write) in _30.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) <= + (unfolding acc(usize(_2), write) in _2.val_int) && + (unfolding acc(usize(_2), write) in _2.val_int) < 10 && + ((forall _0_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) } + 0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + ((unfolding acc(usize(_2), write) in _2.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_2), write) in _2.val_int))))) && + (forall _0_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) } + 0 <= _0_quant_0 ==> + !((unfolding acc(usize(_3), write) in _3.val_int) <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_30), write) in _30.val_int)) || + (_0_quant_0 < 10 ==> + (unfolding acc(usize(_2), write) in _2.val_int) < 10 && + (_0_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_2), write) in _2.val_int)) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0))))))))))) + // ========== loop1_group3_loop18_group3_bb23 ========== + __t18 := true + // [mir] _39 = const () + // [mir] goto -> bb24 + // ========== loop1_group3_loop18_group3_bb24 ========== + __t19 := true + // [mir] StorageDead(_40) + // [mir] StorageDead(_39) + // [mir] StorageLive(_43) + // [mir] StorageLive(_44) + // [mir] _44 = const false + _44 := builtin$havoc_ref() + inhale acc(_44.val_bool, write) + _44.val_bool := false + // [mir] switchInt(move _44) -> [0: bb26, otherwise: bb25] + __t55 := _44.val_bool + // Ignore default target bb25, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_group3_bb26 ========== + __t20 := true + // [mir] _43 = const () + // [mir] goto -> bb27 + // ========== loop1_group3_loop18_group3_bb27 ========== + __t21 := true + // [mir] StorageDead(_44) + // [mir] StorageDead(_43) + // [mir] StorageLive(_48) + // [mir] StorageLive(_49) + // [mir] _49 = const false + _49 := builtin$havoc_ref() + inhale acc(_49.val_bool, write) + _49.val_bool := false + // [mir] switchInt(move _49) -> [0: bb29, otherwise: bb28] + __t56 := _49.val_bool + // Ignore default target bb28, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_group3_bb29 ========== + __t22 := true + // [mir] _48 = const () + // [mir] goto -> bb30 + // ========== loop1_group3_loop18_group3_bb30 ========== + __t23 := true + // [mir] StorageDead(_49) + // [mir] StorageDead(_48) + // [mir] StorageLive(_53) + // [mir] StorageLive(_54) + // [mir] _54 = const false + _54 := builtin$havoc_ref() + inhale acc(_54.val_bool, write) + _54.val_bool := false + // [mir] switchInt(move _54) -> [0: bb32, otherwise: bb31] + __t57 := _54.val_bool + // Ignore default target bb31, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_group3_bb32 ========== + __t24 := true + // [mir] _53 = const () + // [mir] goto -> bb33 + // ========== loop1_group3_loop18_group3_bb33 ========== + __t25 := true + // [mir] StorageDead(_54) + // [mir] StorageDead(_53) + // [mir] StorageLive(_58) + // [mir] StorageLive(_59) + // [mir] _59 = const false + _59 := builtin$havoc_ref() + inhale acc(_59.val_bool, write) + _59.val_bool := false + // [mir] switchInt(move _59) -> [0: bb35, otherwise: bb34] + __t58 := _59.val_bool + // Ignore default target bb34, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_group3_bb35 ========== + __t26 := true + // [mir] _58 = const () + // [mir] goto -> bb36 + // ========== loop1_group3_loop18_group3_bb36 ========== + __t27 := true + // [mir] StorageDead(_59) + // [mir] StorageDead(_58) + // [mir] StorageLive(_63) + // [mir] StorageLive(_64) + // [mir] _64 = const false + _64 := builtin$havoc_ref() + inhale acc(_64.val_bool, write) + _64.val_bool := false + // [mir] switchInt(move _64) -> [0: bb38, otherwise: bb37] + __t59 := _64.val_bool + // Ignore default target bb37, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_group3_bb38 ========== + __t28 := true + // [mir] _63 = const () + // [mir] goto -> bb39 + // ========== loop1_group3_loop18_group3_bb39 ========== + __t29 := true + // [mir] StorageDead(_64) + // [mir] StorageDead(_63) + // [mir] StorageLive(_68) + // [mir] StorageLive(_69) + // [mir] _69 = const false + _69 := builtin$havoc_ref() + inhale acc(_69.val_bool, write) + _69.val_bool := false + // [mir] switchInt(move _69) -> [0: bb41, otherwise: bb40] + __t60 := _69.val_bool + // Ignore default target bb40, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_group3_bb41 ========== + __t30 := true + // [mir] _68 = const () + // [mir] goto -> bb42 + // ========== loop1_group3_loop18_group3_bb42 ========== + __t31 := true + // [mir] StorageDead(_69) + // [mir] StorageDead(_68) + // [mir] StorageLive(_74) + // [mir] StorageLive(_75) + // [mir] _75 = const false + _75 := builtin$havoc_ref() + inhale acc(_75.val_bool, write) + _75.val_bool := false + // [mir] switchInt(move _75) -> [0: bb44, otherwise: bb43] + __t61 := _75.val_bool + // Ignore default target bb43, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_group3_bb44 ========== + __t32 := true + // [mir] _74 = const () + // [mir] goto -> bb45 + // ========== loop1_group3_loop18_group3_bb45 ========== + __t33 := true + // [mir] StorageDead(_75) + // [mir] StorageDead(_74) + // [mir] StorageLive(_81) + // [mir] StorageLive(_82) + // [mir] StorageLive(_83) + // [mir] StorageLive(_84) + // [mir] _84 = _30 + _84 := builtin$havoc_int() + unfold acc(usize(_30), write) + _84 := _30.val_int + label l18 + // [mir] _85 = Len((*_1)) + assert acc(Array$10$i32(_1.val_ref), read$()) + _85 := builtin$havoc_int() + _85 := 10 + // [mir] _86 = Lt(_84, _85) + _86 := builtin$havoc_ref() + inhale acc(_86.val_bool, write) + _86.val_bool := _84 < _85 + // [mir] assert(move _86, "index out of bounds: the length is {} but the index is {}", move _85, _84) -> [success: bb46, unwind: bb59] + __t62 := _86.val_bool + // Rust assertion: "index out of bounds: the length is {} but the index is {}", move _85, _84 + assert __t62 + // ========== loop1_group3_loop18_group3_bb46 ========== + __t34 := true + // [mir] _83 = (*_1)[_84] + __t63 := builtin$havoc_ref() + inhale acc(i32(__t63), write) + assert acc(Array$10$i32(_1.val_ref), read$()) + inhale lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + _84) == + (unfolding acc(i32(__t63), write) in __t63.val_int) + _83 := builtin$havoc_int() + unfold acc(i32(__t63), write) + _83 := __t63.val_int + label l19 + // [mir] StorageLive(_87) + // [mir] StorageLive(_88) + // [mir] _88 = _2 + _88 := builtin$havoc_int() + unfold acc(usize(_2), write) + _88 := _2.val_int + label l20 + // [mir] _89 = Len((*_1)) + assert acc(Array$10$i32(_1.val_ref), read$()) + _89 := builtin$havoc_int() + _89 := 10 + // [mir] _90 = Lt(_88, _89) + _90 := builtin$havoc_ref() + inhale acc(_90.val_bool, write) + _90.val_bool := _88 < _89 + // [mir] assert(move _90, "index out of bounds: the length is {} but the index is {}", move _89, _88) -> [success: bb47, unwind: bb59] + __t64 := _90.val_bool + // Rust assertion: "index out of bounds: the length is {} but the index is {}", move _89, _88 + assert __t64 + // ========== loop1_group3_loop18_group3_bb47 ========== + __t35 := true + // [mir] _87 = (*_1)[_88] + __t65 := builtin$havoc_ref() + inhale acc(i32(__t65), write) + assert acc(Array$10$i32(_1.val_ref), read$()) + inhale lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_1.val_ref, + _88) == + (unfolding acc(i32(__t65), write) in __t65.val_int) + _87 := builtin$havoc_int() + unfold acc(i32(__t65), write) + _87 := __t65.val_int + label l21 + // [mir] _82 = Lt(move _83, move _87) + _82 := builtin$havoc_ref() + inhale acc(_82.val_bool, write) + _82.val_bool := _83 < _87 + // [mir] StorageDead(_88) + // [mir] StorageDead(_87) + // [mir] StorageDead(_84) + // [mir] StorageDead(_83) + // [mir] switchInt(move _82) -> [0: bb49, otherwise: bb48] + __t66 := _82.val_bool + if (!__t66) { + goto l4 + } + goto loop1_group1_bb2 + + label loop1_group1_bb2 + // ========== l22 ========== + // MIR edge bb47 --> bb48 + // ========== loop1_group3_loop18_group3_bb48 ========== + __t36 := true + // [mir] StorageLive(_91) + // [mir] _91 = _30 + _91 := builtin$havoc_ref() + inhale acc(_91.val_int, write) + _91.val_int := _30.val_int + label l24 + // [mir] _2 = move _91 + _2 := _91 + label l25 + // [mir] StorageDead(_91) + // [mir] _81 = const () + // [mir] goto -> bb50 + goto loop1_group1_bb3 + + label loop1_group1_bb3 + // ========== loop1_group3_loop18_group3_bb50 ========== + __t38 := true + // [mir] StorageDead(_82) + // [mir] StorageDead(_81) + // [mir] _92 = CheckedAdd(_30, const 1_usize) + _92 := builtin$havoc_ref() + inhale acc(_92.tuple_0, write) + inhale acc(_92.tuple_0.val_int, write) + inhale acc(_92.tuple_1, write) + inhale acc(_92.tuple_1.val_bool, write) + _92.tuple_0.val_int := _30.val_int + 1 + _92.tuple_1.val_bool := false + // [mir] assert(!move (_92.1: bool), "attempt to compute `{} + {}`, which would overflow", _30, const 1_usize) -> [success: bb51, unwind: bb59] + __t67 := _92.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t67 + // ========== loop1_group3_loop18_group3_bb51 ========== + __t39 := true + // [mir] _30 = move (_92.0: usize) + _30 := _92.tuple_0 + label l26 + // [mir] _4 = const () + // [mir] StorageDead(_34) + // [mir] goto -> bb18 + // ========== loop1_group3_loop18_group4_bb18 ========== + // This is a loop head + __t14 := true + // [mir] falseUnwind -> [real: bb19, unwind: bb59] + // ========== loop1_group3_loop18_group4_bb19 ========== + __t15 := true + // [mir] StorageLive(_34) + // [mir] StorageLive(_35) + // [mir] _35 = _30 + _35 := builtin$havoc_int() + _35 := _30.val_int + label l27 + // [mir] StorageLive(_36) + // [mir] StorageLive(_37) + // [mir] StorageLive(_38) + // [mir] _38 = &(*_1) + _38 := builtin$havoc_ref() + inhale acc(_38.val_ref, write) + _38.val_ref := _1.val_ref + exhale acc(Array$10$i32(_1.val_ref), write - read$()) + inhale acc(Array$10$i32(_38.val_ref), read$()) + label l28 + // [mir] _37 = move _38 as &[i32] (PointerCoercion(Unsize)) + label l29 + _37 := builtin$havoc_ref() + inhale acc(_37.val_ref, write) + inhale acc(Slice$i32(_37.val_ref), read$()) + inhale Slice$len__$TY$__i32$Slice$i32$$int$(_37.val_ref) == 10 + inhale (forall i: Int :: + { lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_38.val_ref, + i) } + { lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_37.val_ref, + i) } + 0 <= i && i < 10 ==> + lookup_pure__$TY$__Array$10$i32$i32$Array$10$i32$$int$$$int$(_38.val_ref, + i) == + lookup_pure__$TY$__Slice$i32$i32$Slice$i32$$int$$$int$(_37.val_ref, i)) + // [mir] StorageDead(_38) + // [mir] _36 = core::slice::::len(move _37) -> [return: bb20, unwind: bb59] + label l30 + _36 := builtin$havoc_int() + _36 := Slice$len__$TY$__i32$Slice$i32$$int$(_37.val_ref) + // transfer perm _37.val_ref --> old[l30](_37.val_ref) // unchecked: false + // ========== l31 ========== + // MIR edge bb19 --> bb20 + // Expire borrows + // expire_borrows ReborrowingDAG(L32,L31,L8,) + + if (__t15 && (__t15 && __t15)) { + // expire loan L8 + exhale acc(Array$10$i32(_38.val_ref), read$()) + inhale acc(Array$10$i32(_1.val_ref), write - read$()) + } + // ========== loop1_group3_loop18_group4_bb20 ========== + __t16 := true + // [mir] StorageDead(_37) + // [mir] _34 = Lt(move _35, move _36) + _34 := builtin$havoc_ref() + inhale acc(_34.val_bool, write) + _34.val_bool := _35 < _36 + // [mir] StorageDead(_36) + // [mir] StorageDead(_35) + // [mir] switchInt(move _34) -> [0: bb52, otherwise: bb21] + __t68 := _34.val_bool + if (__t68) { + goto loop1_inv_post_fnspc + } + goto l5 + + label loop1_group2_bb4 + // ========== l52 ========== + // MIR edge bb3 --> bb58 + // ========== l56 ========== + // drop Acc(_35.val_int, write) (Acc(_35.val_int, write)) + // drop Acc(__t77.val_int, write) (Acc(__t77.val_int, write)) + // drop Acc(_105.val_int, write) (Acc(_105.val_int, write)) + // drop Acc(_36.val_int, write) (Acc(_36.val_int, write)) + // drop Acc(_32.tuple_1.val_bool, write) (Acc(_32.tuple_1.val_bool, write)) + // drop Acc(_109.val_int, write) (Acc(_109.val_int, write)) + // drop Acc(_32.tuple_0, write) (Acc(_32.tuple_0, write)) + // drop Acc(_99.val_bool, write) (Acc(_99.val_bool, write)) + // drop Acc(_101.val_int, write) (Acc(_101.val_int, write)) + // drop Acc(__t71.val_int, write) (Acc(__t71.val_int, write)) + // drop Acc(_97.val_int, write) (Acc(_97.val_int, write)) + // drop Acc(_2.val_int, write) (Acc(_2.val_int, write)) + // drop Acc(_38.val_ref, write) (Acc(_38.val_ref, write)) + // drop Acc(_34.val_bool, write) (Acc(_34.val_bool, write)) + // drop Acc(_31.val_int, write) (Acc(_31.val_int, write)) + // drop Acc(_100.val_int, write) (Acc(_100.val_int, write)) + // drop Acc(__t75.val_int, write) (Acc(__t75.val_int, write)) + // drop Acc(old[l50](_8.val_ref), write) (Acc(old[l50](_8.val_ref), write)) + // drop Acc(_112.tuple_1.val_bool, write) (Acc(_112.tuple_1.val_bool, write)) + // drop Acc(_112.tuple_0, write) (Acc(_112.tuple_0, write)) + // drop Acc(__t73.val_int, write) (Acc(__t73.val_int, write)) + // drop Acc(_37.val_ref, write) (Acc(_37.val_ref, write)) + // drop Acc(_30.val_int, write) (Acc(_30.val_int, write)) + // drop Acc(_111.val_bool, write) (Acc(_111.val_bool, write)) + // drop Acc(_98.val_int, write) (Acc(_98.val_int, write)) + // drop Acc(_25.val_bool, write) (Acc(_25.val_bool, write)) + // drop Acc(_96.val_int, write) (Acc(_96.val_int, write)) + // drop Acc(_102.val_int, write) (Acc(_102.val_int, write)) + // drop Acc(_20.val_bool, write) (Acc(_20.val_bool, write)) + // drop Acc(_107.val_bool, write) (Acc(_107.val_bool, write)) + // drop Acc(old[l14](_37.val_ref), write) (Acc(old[l14](_37.val_ref), write)) + // drop Acc(_15.val_bool, write) (Acc(_15.val_bool, write)) + // drop Acc(_103.val_bool, write) (Acc(_103.val_bool, write)) + // drop Acc(_106.val_int, write) (Acc(_106.val_int, write)) + // drop Acc(_110.val_int, write) (Acc(_110.val_int, write)) + // drop Pred(old[l50](_8.val_ref), read) (Pred(old[l50](_8.val_ref), read)) + // drop Pred(old[l14](_37.val_ref), read) (Pred(old[l14](_37.val_ref), read)) + // drop Acc(_32.tuple_1, write) (Acc(_32.tuple_1, write)) + // drop Acc(_112.tuple_1, write) (Acc(_112.tuple_1, write)) + goto loop1_inv_pre + + label loop1_inv_post_fnspc + // ========== l33 ========== + // MIR edge bb20 --> bb21 + // ========== loop1_group3_loop18_group5_bb21 ========== + __t17 := true + // [mir] StorageLive(_39) + // [mir] StorageLive(_40) + // [mir] _40 = const false + _40 := builtin$havoc_ref() + inhale acc(_40.val_bool, write) + _40.val_bool := false + // [mir] switchInt(move _40) -> [0: bb23, otherwise: bb22] + __t69 := _40.val_bool + // Ignore default target bb22, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_group3_loop18_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb18) + fold acc(usize(_2), write) + // obtain acc(usize(_2), write) + fold acc(usize(_30), write) + // obtain acc(usize(_30), write) + // obtain acc(usize(_3), read) + // obtain acc(_1.val_ref, read) + // obtain acc(Array$10$i32(_1.val_ref), read) + assert 0 <= (unfolding acc(usize(_3), write) in _3.val_int) && + (unfolding acc(usize(_3), write) in _3.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + 0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_3), write) in _3.val_int)) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _1_quant_0) || + (_1_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0))))) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int)) || + (!((unfolding acc(usize(_3), write) in _3.val_int) <= _1_quant_0) || + (_1_quant_0 < 10 ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0)))))) && + ((unfolding acc(usize(_3), write) in _3.val_int) < + (unfolding acc(usize(_30), write) in _30.val_int) && + (unfolding acc(usize(_30), write) in _30.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) <= + (unfolding acc(usize(_2), write) in _2.val_int) && + (unfolding acc(usize(_2), write) in _2.val_int) < 10 && + ((forall _0_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) } + 0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + ((unfolding acc(usize(_2), write) in _2.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_2), write) in _2.val_int))))) && + (forall _0_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) } + 0 <= _0_quant_0 ==> + !((unfolding acc(usize(_3), write) in _3.val_int) <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_30), write) in _30.val_int)) || + (_0_quant_0 < 10 ==> + (unfolding acc(usize(_2), write) in _2.val_int) < 10 && + (_0_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_2), write) in _2.val_int)) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0))))))))))) + assert true + assert _preserve$0 == _1.val_ref + exhale acc(usize(_2), write) && + (acc(usize(_30), write) && + (acc(usize(_3), read$()) && + (acc(_1.val_ref, read$()) && acc(Array$10$i32(_1.val_ref), read$())))) + inhale false + goto end_of_method + + label loop1_inv_post_perm + // ========== l53 ========== + // MIR edge bb3 --> bb4 + // ========== loop1_group5_bb4 ========== + __t4 := true + // [mir] StorageLive(_10) + // [mir] StorageLive(_11) + // [mir] _11 = const false + _11 := builtin$havoc_ref() + inhale acc(_11.val_bool, write) + _11.val_bool := false + // [mir] switchInt(move _11) -> [0: bb6, otherwise: bb5] + __t80 := _11.val_bool + // Ignore default target bb5, as it is only used by Prusti to type-check a loop invariant. + // ========== loop1_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb1) + // obtain acc(_1.val_ref, read) + fold acc(usize(_3), write) + // obtain acc(usize(_3), write) + // obtain acc(Array$10$i32(_1.val_ref), write) + assert 0 <= (unfolding acc(usize(_3), write) in _3.val_int) && + (unfolding acc(usize(_3), write) in _3.val_int) < 10 && + ((unfolding acc(usize(_3), write) in _3.val_int) < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + 0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + (unfolding acc(usize(_3), write) in _3.val_int)) && + ((forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _1_quant_0) || + (_1_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int) ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0))))) && + (forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < (unfolding acc(usize(_3), write) in _3.val_int)) || + (!((unfolding acc(usize(_3), write) in _3.val_int) <= _1_quant_0) || + (_1_quant_0 < 10 ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_1.val_ref), + _1_quant_0)))))))) + assert true + exhale acc(_1.val_ref, read$()) && + (acc(usize(_3), write) && acc(Array$10$i32(_1.val_ref), write)) + inhale false + goto end_of_method + + label loop1_inv_pre + // ========== bb58 ========== + __t46 := true + // [mir] StorageLive(_114) + // [mir] _0 = const () + // [mir] StorageDead(_114) + // [mir] StorageDead(_5) + // [mir] StorageDead(_3) + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l55 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(Array$10$i32(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (forall _0_quant_0: Int, _1_quant_0: Int :: + { read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_old$pre$0), + _0_quant_0), read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_old$pre$0), + _1_quant_0) } + 0 <= _0_quant_0 && 0 <= _1_quant_0 ==> + !(0 <= _0_quant_0) || + (!(_0_quant_0 < _1_quant_0) || + (_1_quant_0 < 10 ==> + _0_quant_0 < 10 && + (_1_quant_0 < 10 && + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_old$pre$0), + _0_quant_0) <= + read$Snap$Array$10$i32$__$TY$__Snap$Array$10$i32$$int$$$int$(snap$__$TY$__Snap$Array$10$i32$Array$10$i32$Snap$Array$10$i32(_old$pre$0), + _1_quant_0))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(Array$10$i32(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label loop1_start + // ========== l16 ========== + // MIR edge bb20 --> bb52 + goto l6 + + label return + // ========== l5 ========== + // MIR edge bb3 --> bb58 + goto loop1_inv_pre + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final---openang-List-space-as-space-std--ops--Drop-closean.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final---openang-List-space-as-space-std--ops--Drop-closean.vpr new file mode 100644 index 00000000..c62b8da2 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final---openang-List-space-as-space-std--ops--Drop-closean.vpr @@ -0,0 +1,912 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + + function mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0: Int, + _1: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$injectivity { + (forall _l_0: Int, _l_1: Snap$m_Link$_beg_$_end_, _r_0: Int, _r_1: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Node$0$field$f$elem$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Node$0$field$f$next$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$elem: Ref + +field f$head: Ref + +field f$next: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1, + _2), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + (_2 != 0 ? + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)), + _2 - 1) : + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_Link$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node((unfolding acc(struct$m_Node(self), read$()) in + (unfolding acc(i32(self.f$elem), read$()) in self.f$elem.val_int)), (unfolding acc(struct$m_Node(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$next))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_List(self: Ref) { + acc(self.f$head, write) && acc(m_Link$_beg_$_end_(self.f$head), write) +} + +predicate struct$m_Node(self: Ref) { + acc(self.f$elem, write) && + (acc(i32(self.f$elem), write) && + (acc(self.f$next, write) && acc(m_Link$_beg_$_end_(self.f$next), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +predicate tuple0$(self: Ref) { + true +} + +method m_$openang$List$space$as$space$std$$ops$$Drop$closeang$$$drop() + returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Int + var __t18: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _8: Ref + var _9: Int + var _10: Ref + var _11: Ref + var _12: Ref + var _13: Ref + var _14: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#3}::drop" + // Span: tests/verify/pass/larger/first-final.rs:165:5: 177:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(struct$m_List(_1.val_ref), write) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = &mut ((*_1).0: Link) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + unfold acc(struct$m_List(_1.val_ref), write) + _4.val_ref := _1.val_ref.f$head + label l0 + // [mir] _3 = &mut (*_4) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + _3.val_ref := _4.val_ref + label l1 + // [mir] StorageLive(_5) + // [mir] _5 = Link::Empty + _5 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(_5), write) + inhale m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_5) == + 0 + // [mir] _2 = replace(move _3, move _5) -> [return: bb1, unwind: bb19] + label l2 + assert f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_5)) + assert true + exhale acc(_3.val_ref, write) && + (acc(m_Link$_beg_$_end_(_3.val_ref), write) && + acc(m_Link$_beg_$_end_(_5), write)) + _2 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(old[l2](_3.val_ref)), write) + inhale acc(m_Link$_beg_$_end_(_2), write) + inhale true + inhale f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(old[l2](_3.val_ref))) && + (old[l2](f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_3.val_ref))) == + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_2)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_2)) ==> + old[l2](f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_3.val_ref), + _0_quant_0)) == + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_2), + _0_quant_0)))) + label l3 + // ========== l4 ========== + // MIR edge bb0 --> bb1 + // Expire borrows + // expire_borrows ReborrowingDAG(L8,L1,L0,) + + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_5) + // [mir] StorageDead(_3) + // [mir] FakeRead(ForLet(None), _2) + // [mir] StorageDead(_4) + // [mir] StorageLive(_6) + // [mir] _6 = const true + _6 := builtin$havoc_ref() + inhale acc(_6.val_bool, write) + _6.val_bool := true + // [mir] FakeRead(ForLet(None), _6) + // [mir] goto -> bb2 + // ========== loop2_start ========== + // ========== loop2_group1_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb18] + // ========== loop2_group1_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] _8 = _6 + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := _6.val_bool + label l5 + // [mir] switchInt(move _8) -> [0: bb13, otherwise: bb4] + __t15 := _8.val_bool + if (__t15) { + goto bb0 + } + goto return + + label bb0 + // ========== l7 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_inv_pre ========== + // Assert and exhale the loop body invariant (loop head: bb2) + // obtain acc(m_Link$_beg_$_end_(_2), write) + fold acc(bool(_6), write) + // obtain acc(bool(_6), write) + assert true + exhale acc(m_Link$_beg_$_end_(_2), write) && acc(bool(_6), write) + _10 := builtin$havoc_ref() + _11 := builtin$havoc_ref() + _12 := builtin$havoc_ref() + _13 := builtin$havoc_ref() + _14 := builtin$havoc_ref() + _2 := builtin$havoc_ref() + _8 := builtin$havoc_ref() + _9 := builtin$havoc_int() + __t10 := builtin$havoc_bool() + __t11 := builtin$havoc_bool() + __t12 := builtin$havoc_bool() + __t16 := builtin$havoc_bool() + __t17 := builtin$havoc_int() + __t18 := builtin$havoc_bool() + __t2 := builtin$havoc_bool() + __t3 := builtin$havoc_bool() + __t4 := builtin$havoc_bool() + __t5 := builtin$havoc_bool() + __t6 := builtin$havoc_bool() + __t7 := builtin$havoc_bool() + __t8 := builtin$havoc_bool() + __t9 := builtin$havoc_bool() + // ========== loop2_inv_post_perm ========== + // Inhale the loop permissions invariant of block bb2 + inhale acc(m_Link$_beg_$_end_(_2), write) && acc(bool(_6), write) + inhale true + // ========== loop2_group2a_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb18] + // ========== loop2_group2a_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] _8 = _6 + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + unfold acc(bool(_6), write) + _8.val_bool := _6.val_bool + label l8 + // [mir] switchInt(move _8) -> [0: bb13, otherwise: bb4] + __t16 := _8.val_bool + if (__t16) { + goto bb1 + } + goto l4 + + label bb1 + // ========== l10 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_inv_post_fnspc ========== + // Inhale the loop fnspec invariant of block bb2 + // ========== loop2_group3_bb4 ========== + __t4 := true + // [mir] FakeRead(ForMatchedPlace(None), _2) + // [mir] _9 = discriminant(_2) + _9 := builtin$havoc_int() + _9 := m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_2) + // [mir] switchInt(move _9) -> [1: bb5, otherwise: bb11] + __t17 := _9 + if (__t17 == 1) { + goto loop2_group1_bb2 + } + goto loop2_start + + label l4 + // ========== l9 ========== + // MIR edge bb3 --> bb13 + goto end_of_method + + label l6 + // ========== l21 ========== + // MIR edge bb3 --> bb13 + // ========== l25 ========== + // drop Acc(_9.val_int, write) (Acc(_9.val_int, write)) + goto l7 + + label l7 + // ========== bb13 ========== + __t13 := true + // [mir] StorageLive(_16) + // [mir] _0 = const () + // [mir] StorageDead(_16) + // [mir] StorageDead(_8) + // [mir] StorageDead(_6) + // [mir] drop(_2) -> [return: bb15, unwind: bb20] + // ========== bb15 ========== + __t14 := true + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l24 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_List(_1.val_ref), write) + // obtain acc(struct$m_List(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_List(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label loop2_group1_bb2 + // ========== l12 ========== + // MIR edge bb4 --> bb5 + // ========== loop2_group3_bb5 ========== + __t6 := true + // [mir] falseEdge -> [real: bb6, imaginary: bb11] + // ========== loop2_group3_bb6 ========== + __t7 := true + // [mir] StorageLive(_10) + // [mir] _10 = move ((_2 as More).0: std::boxed::Box) + unfold acc(m_Link$_beg_$_end_(_2), write) + unfold acc(m_Link$_beg_$_end_More(_2.enum_More), write) + _10 := _2.enum_More.f$0 + label l13 + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = &mut ((*_10).1: Link) + _13 := builtin$havoc_ref() + inhale acc(_13.val_ref, write) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_10), write) + unfold acc(struct$m_Node(_10.val_ref), write) + _13.val_ref := _10.val_ref.f$next + label l14 + // [mir] _12 = &mut (*_13) + _12 := builtin$havoc_ref() + inhale acc(_12.val_ref, write) + _12.val_ref := _13.val_ref + label l15 + // [mir] StorageLive(_14) + // [mir] _14 = Link::Empty + _14 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(_14), write) + inhale m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_14) == + 0 + // [mir] _11 = replace(move _12, move _14) -> [return: bb7, unwind: bb16] + label l16 + assert f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_14)) + assert true + exhale acc(_12.val_ref, write) && + (acc(m_Link$_beg_$_end_(_12.val_ref), write) && + acc(m_Link$_beg_$_end_(_14), write)) + _11 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(old[l16](_12.val_ref)), write) + inhale acc(m_Link$_beg_$_end_(_11), write) + inhale true + inhale f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(old[l16](_12.val_ref))) && + (old[l16](f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_12.val_ref))) == + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_11)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_11)) ==> + old[l16](f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_12.val_ref), + _0_quant_0)) == + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_11), + _0_quant_0)))) + label l17 + // ========== l18 ========== + // MIR edge bb6 --> bb7 + // Expire borrows + // expire_borrows ReborrowingDAG(L7,L3,L2,) + + // ========== loop2_group3_bb7 ========== + __t8 := true + // [mir] StorageDead(_14) + // [mir] StorageDead(_12) + // [mir] drop(_2) -> [return: bb8, unwind: bb9] + // ========== loop2_group3_bb8 ========== + __t9 := true + // [mir] _2 = move _11 + _2 := _11 + label l19 + // [mir] drop(_11) -> [return: bb10, unwind: bb17] + // ========== loop2_group3_bb10 ========== + __t10 := true + // [mir] StorageDead(_11) + // [mir] StorageDead(_13) + // [mir] _7 = const () + // [mir] drop(_10) -> [return: bb12, unwind: bb18] + // ========== loop2_group3_bb12 ========== + __t11 := true + // [mir] StorageDead(_10) + // [mir] goto -> bb14 + // ========== l23 ========== + // drop Acc(_13.val_ref, write) (Acc(_13.val_ref, write)) + // drop Acc(_10.val_ref.f$elem, write) (Acc(_10.val_ref.f$elem, write)) + // drop Acc(_10.val_ref.f$next, write) (Acc(_10.val_ref.f$next, write)) + // drop Pred(_10.val_ref.f$elem, write) (Pred(_10.val_ref.f$elem, write)) + // drop Pred(_10.val_ref.f$next, write) (Pred(_10.val_ref.f$next, write)) + // drop Acc(_10.val_ref, write) (Acc(_10.val_ref, write)) + goto loop2_group1_bb3 + + label loop2_group1_bb3 + // ========== loop2_group3_bb14 ========== + __t12 := true + // [mir] StorageDead(_8) + // [mir] goto -> bb2 + // ========== loop2_group4_bb2 ========== + // This is a loop head + __t2 := true + // [mir] falseUnwind -> [real: bb3, unwind: bb18] + // ========== loop2_group4_bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] _8 = _6 + _8 := builtin$havoc_ref() + inhale acc(_8.val_bool, write) + _8.val_bool := _6.val_bool + label l20 + // [mir] switchInt(move _8) -> [0: bb13, otherwise: bb4] + __t18 := _8.val_bool + if (__t18) { + goto loop2_inv_pre + } + goto l6 + + label loop2_inv_pre + // ========== l22 ========== + // MIR edge bb3 --> bb4 + // ========== loop2_end_body ========== + // Assert and exhale the loop body invariant (loop head: bb2) + // obtain acc(m_Link$_beg_$_end_(_2), write) + fold acc(bool(_6), write) + // obtain acc(bool(_6), write) + assert true + exhale acc(m_Link$_beg_$_end_(_2), write) && acc(bool(_6), write) + inhale false + goto end_of_method + + label loop2_start + // ========== l11 ========== + // MIR edge bb4 --> bb11 + // ========== loop2_group3_bb11 ========== + __t5 := true + // [mir] _6 = const false + _6.val_bool := false + // [mir] _7 = const () + // [mir] goto -> bb14 + goto loop2_group1_bb3 + + label return + // ========== l6 ========== + // MIR edge bb3 --> bb13 + goto l7 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--is_empty-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--is_empty-Both.vpr new file mode 100644 index 00000000..36fbcde0 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--is_empty-Both.vpr @@ -0,0 +1,548 @@ +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0: Int, + _1: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$injectivity { + (forall _l_0: Int, _l_1: Snap$m_Link$_beg_$_end_, _r_0: Int, _r_1: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Node$0$field$f$elem$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Node$0$field$f$next$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$elem: Ref + +field f$next: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_Link$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node((unfolding acc(struct$m_Node(self), read$()) in + (unfolding acc(i32(self.f$elem), read$()) in self.f$elem.val_int)), (unfolding acc(struct$m_Node(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$next))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Node(self: Ref) { + acc(self.f$elem, write) && + (acc(i32(self.f$elem), write) && + (acc(self.f$next, write) && acc(m_Link$_beg_$_end_(self.f$next), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +method m_Link$$is_empty() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Int + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#0}::is_empty" + // Span: tests/verify/pass/larger/first-final.rs:34:5: 39:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] FakeRead(ForMatchedPlace(None), _1) + // [mir] _2 = discriminant((*_1)) + _2 := builtin$havoc_int() + _2 := m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_1.val_ref) + // [mir] switchInt(move _2) -> [0: bb1, 1: bb2, otherwise: bb3] + __t6 := _2 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t6 == 0) { + goto l0 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] StorageLive(_3) + // [mir] _3 = &(*(((*_1) as More).0: std::boxed::Box)) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + unfold acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + unfold acc(m_Link$_beg_$_end_More(_1.val_ref.enum_More), read$()) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_1.val_ref.enum_More.f$0), read$()) + _3.val_ref := _1.val_ref.enum_More.f$0.val_ref + inhale acc(struct$m_Node(_3.val_ref), read$()) + label l2 + // expire_borrows ReborrowingDAG(L3,) + + if (__t2) { + // expire loan L3 + exhale acc(struct$m_Node(_3.val_ref), read$()) + } + // [mir] _0 = const false + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := false + // [mir] StorageDead(_3) + // [mir] goto -> bb5 + // ========== l3 ========== + fold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_1.val_ref.enum_More.f$0), read$()) + fold acc(m_Link$_beg_$_end_More(_1.val_ref.enum_More), read$()) + fold acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + // drop Acc(_3.val_ref, write) (Acc(_3.val_ref, write)) + goto l1 + + label l0 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t3 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb2] + // ========== bb4 ========== + __t4 := true + // [mir] _0 = const true + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := true + // [mir] goto -> bb5 + goto l1 + + label l1 + // ========== bb5 ========== + __t5 := true + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l4 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(m_Link$_beg_$_end_(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(bool(_0), write) + // obtain acc(bool(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(m_Link$_beg_$_end_(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(bool(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--len-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--len-Both.vpr new file mode 100644 index 00000000..d3f64143 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--len-Both.vpr @@ -0,0 +1,630 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0: Int, + _1: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$injectivity { + (forall _l_0: Int, _l_1: Snap$m_Link$_beg_$_end_, _r_0: Int, _r_1: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Node$0$field$f$elem$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Node$0$field$f$next$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$elem: Ref + +field f$next: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_Link$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node((unfolding acc(struct$m_Node(self), read$()) in + (unfolding acc(i32(self.f$elem), read$()) in self.f$elem.val_int)), (unfolding acc(struct$m_Node(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$next))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Node(self: Ref) { + acc(self.f$elem, write) && + (acc(i32(self.f$elem), write) && + (acc(self.f$next, write) && acc(m_Link$_beg_$_end_(self.f$next), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_Link$$len() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Int + var __t9: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Ref + var _4: Int + var _5: Ref + var _6: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#0}::len" + // Span: tests/verify/pass/larger/first-final.rs:43:5: 48:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] FakeRead(ForMatchedPlace(None), _1) + // [mir] _2 = discriminant((*_1)) + _2 := builtin$havoc_int() + _2 := m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_1.val_ref) + // [mir] switchInt(move _2) -> [0: bb1, 1: bb2, otherwise: bb3] + __t8 := _2 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t8 == 0) { + goto l0 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] StorageLive(_3) + // [mir] _3 = &(*(((*_1) as More).0: std::boxed::Box)) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + unfold acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + unfold acc(m_Link$_beg_$_end_More(_1.val_ref.enum_More), read$()) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_1.val_ref.enum_More.f$0), read$()) + _3.val_ref := _1.val_ref.enum_More.f$0.val_ref + inhale acc(struct$m_Node(_3.val_ref), read$()) + label l2 + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] _5 = &((*_3).1: Link) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + unfold acc(struct$m_Node(_3.val_ref), read$()) + _5.val_ref := _3.val_ref.f$next + inhale acc(m_Link$_beg_$_end_(_5.val_ref), read$()) + label l3 + // [mir] _4 = Link::len(move _5) -> [return: bb5, unwind: bb8] + label l4 + exhale acc(_5.val_ref, write) + _4 := builtin$havoc_int() + inhale _4 >= 0 + // transfer perm _5.val_ref --> old[l4](_5.val_ref) // unchecked: true + inhale (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(old[l4](_5.val_ref))) ==> + _4 > 0) && + _4 >= 0 + label l5 + // ========== l6 ========== + // MIR edge bb2 --> bb5 + // Expire borrows + // expire_borrows ReborrowingDAG(L3,L4,L5,) + + if (__t2 && __t2) { + // expire loan L4 + // transfer perm old[l4](_5.val_ref) --> old[l3](_5.val_ref) // unchecked: false + exhale acc(m_Link$_beg_$_end_(old[l3](_5.val_ref)), read$()) + } + if (__t2 && (__t2 && __t2)) { + // expire loan L5 + fold acc(struct$m_Node(_3.val_ref), read$()) + exhale acc(struct$m_Node(_3.val_ref), read$()) + } + // ========== bb5 ========== + __t3 := true + // [mir] StorageDead(_5) + // [mir] _6 = CheckedAdd(const 1_usize, _4) + _6 := builtin$havoc_ref() + inhale acc(_6.tuple_0, write) + inhale acc(_6.tuple_0.val_int, write) + inhale acc(_6.tuple_1, write) + inhale acc(_6.tuple_1.val_bool, write) + inhale _4 >= 0 + _6.tuple_0.val_int := 1 + _4 + _6.tuple_1.val_bool := false + // [mir] assert(!move (_6.1: bool), "attempt to compute `{} + {}`, which would overflow", const 1_usize, move _4) -> [success: bb6, unwind: bb8] + __t9 := _6.tuple_1.val_bool + // Rust assertion: attempt to add with overflow + assert !__t9 + // ========== bb6 ========== + __t4 := true + // [mir] _0 = move (_6.0: usize) + _0 := _6.tuple_0 + label l7 + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] goto -> bb7 + // ========== l8 ========== + fold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_1.val_ref.enum_More.f$0), read$()) + fold acc(m_Link$_beg_$_end_More(_1.val_ref.enum_More), read$()) + fold acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + // drop Acc(_3.val_ref, write) (Acc(_3.val_ref, write)) + // drop Acc(_6.tuple_0, write) (Acc(_6.tuple_0, write)) + // drop Acc(_4.val_int, write) (Acc(_4.val_int, write)) + // drop Acc(_6.tuple_1.val_bool, write) (Acc(_6.tuple_1.val_bool, write)) + // drop Acc(_6.tuple_1, write) (Acc(_6.tuple_1, write)) + goto l1 + + label l0 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t5 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb2] + // ========== bb4 ========== + __t6 := true + // [mir] _0 = const 0_usize + _0 := builtin$havoc_ref() + inhale acc(_0.val_int, write) + _0.val_int := 0 + // [mir] goto -> bb7 + goto l1 + + label l1 + // ========== bb7 ========== + __t7 := true + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l9 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(m_Link$_beg_$_end_(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(usize(_0), write) + // obtain acc(usize(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_old$pre$0)) ==> + (unfolding acc(usize(_0), write) in _0.val_int) > 0) && + (unfolding acc(usize(_0), write) in _0.val_int) >= 0 + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(m_Link$_beg_$_end_(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(usize(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--lookup-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--lookup-Both.vpr new file mode 100644 index 00000000..3d1a2063 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--Link--lookup-Both.vpr @@ -0,0 +1,716 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0: Int, + _1: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$injectivity { + (forall _l_0: Int, _l_1: Snap$m_Link$_beg_$_end_, _r_0: Int, _r_1: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Node$0$field$f$elem$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Node$0$field$f$next$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$elem: Ref + +field f$next: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_Link$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node((unfolding acc(struct$m_Node(self), read$()) in + (unfolding acc(i32(self.f$elem), read$()) in self.f$elem.val_int)), (unfolding acc(struct$m_Node(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$next))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_Node(self: Ref) { + acc(self.f$elem, write) && + (acc(i32(self.f$elem), write) && + (acc(self.f$next, write) && acc(m_Link$_beg_$_end_(self.f$next), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_Link$$lookup() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Int + var __t11: Bool + var __t12: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Int + var _5: Ref + var _6: Ref + var _7: Int + var _8: Ref + var _9: Ref + var _10: Int + var _11: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#0}::lookup" + // Span: tests/verify/pass/larger/first-final.rs:51:5: 62:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(m_Link$_beg_$_end_(_1.val_ref), read$()) && _2 >= 0) + inhale 0 <= _2 && + _2 < + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] FakeRead(ForMatchedPlace(None), _1) + // [mir] _3 = discriminant((*_1)) + _3 := builtin$havoc_int() + _3 := m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_1.val_ref) + // [mir] switchInt(move _3) -> [0: bb1, 1: bb2, otherwise: bb3] + __t10 := _3 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t10 == 0) { + goto bb2 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] StorageLive(_5) + // [mir] _5 = &(*(((*_1) as More).0: std::boxed::Box)) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + unfold acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + unfold acc(m_Link$_beg_$_end_More(_1.val_ref.enum_More), read$()) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_1.val_ref.enum_More.f$0), read$()) + _5.val_ref := _1.val_ref.enum_More.f$0.val_ref + inhale acc(struct$m_Node(_5.val_ref), read$()) + label l2 + // [mir] StorageLive(_6) + // [mir] StorageLive(_7) + // [mir] _7 = _2 + _7 := builtin$havoc_int() + inhale _2 >= 0 + _7 := _2 + label l3 + // [mir] _6 = Eq(move _7, const 0_usize) + _6 := builtin$havoc_ref() + inhale acc(_6.val_bool, write) + _6.val_bool := _7 == 0 + // [mir] StorageDead(_7) + // [mir] switchInt(move _6) -> [0: bb6, otherwise: bb5] + __t11 := _6.val_bool + if (__t11) { + goto l1 + } + goto l0 + + label bb2 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t8 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb2] + // ========== bb4 ========== + __t9 := true + // [mir] StorageLive(_4) + // [mir] _4 = core::panicking::panic(const "internal error: entered unreachable code") -> bb10 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label bb3 + // ========== bb9 ========== + __t7 := true + // [mir] StorageDead(_6) + // [mir] StorageDead(_5) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l14 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_1.val_ref.enum_More.f$0), read$()) + fold acc(m_Link$_beg_$_end_More(_1.val_ref.enum_More), read$()) + fold acc(m_Link$_beg_$_end_(_1.val_ref), read$()) + // obtain acc(m_Link$_beg_$_end_(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0), write) + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(m_Link$_beg_$_end_(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label l0 + // ========== l4 ========== + // MIR edge bb2 --> bb6 + // ========== bb6 ========== + __t4 := true + // [mir] StorageLive(_8) + // [mir] _8 = &((*_5).1: Link) + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + unfold acc(struct$m_Node(_5.val_ref), read$()) + _8.val_ref := _5.val_ref.f$next + inhale acc(m_Link$_beg_$_end_(_8.val_ref), read$()) + label l7 + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = _2 + _10 := builtin$havoc_int() + _10 := _2 + label l8 + // [mir] _11 = CheckedSub(_10, const 1_usize) + _11 := builtin$havoc_ref() + inhale acc(_11.tuple_0, write) + inhale acc(_11.tuple_0.val_int, write) + inhale acc(_11.tuple_1, write) + inhale acc(_11.tuple_1.val_bool, write) + _11.tuple_0.val_int := _10 - 1 + _11.tuple_1.val_bool := false + // [mir] assert(!move (_11.1: bool), "attempt to compute `{} - {}`, which would overflow", move _10, const 1_usize) -> [success: bb7, unwind: bb10] + __t12 := _11.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t12 + // ========== bb7 ========== + __t5 := true + // [mir] _9 = move (_11.0: usize) + _9 := _11.tuple_0 + label l9 + // [mir] StorageDead(_10) + // [mir] _0 = Link::lookup(move _8, move _9) -> [return: bb8, unwind: bb10] + label l10 + assert 0 <= _9.val_int && + _9.val_int < + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_8.val_ref)) + fold acc(usize(_9), write) + exhale acc(_8.val_ref, write) && acc(usize(_9), write) + _0 := builtin$havoc_ref() + inhale acc(i32(_0), write) + // transfer perm _8.val_ref --> old[l10](_8.val_ref) // unchecked: true + label l11 + // ========== l12 ========== + // MIR edge bb7 --> bb8 + // Expire borrows + // expire_borrows ReborrowingDAG(L4,L3,L5,) + + if (__t4 && __t5) { + // expire loan L3 + // transfer perm old[l10](_8.val_ref) --> old[l7](_8.val_ref) // unchecked: false + exhale acc(m_Link$_beg_$_end_(old[l7](_8.val_ref)), read$()) + } + if (__t2 && (__t4 && __t5)) { + // expire loan L5 + fold acc(struct$m_Node(_5.val_ref), read$()) + exhale acc(struct$m_Node(_5.val_ref), read$()) + } + // ========== bb8 ========== + __t6 := true + // [mir] StorageDead(_9) + // [mir] StorageDead(_8) + // [mir] goto -> bb9 + // ========== l13 ========== + // drop Acc(_10.val_int, write) (Acc(_10.val_int, write)) + unfold acc(i32(_0), write) + // drop Acc(_11.tuple_0, write) (Acc(_11.tuple_0, write)) + // drop Acc(_11.tuple_1.val_bool, write) (Acc(_11.tuple_1.val_bool, write)) + // drop Acc(_11.tuple_1, write) (Acc(_11.tuple_1, write)) + goto bb3 + + label l1 + // ========== l5 ========== + // MIR edge bb2 --> bb5 + // ========== bb5 ========== + __t3 := true + // [mir] _0 = ((*_5).0: i32) + _0 := builtin$havoc_ref() + inhale acc(_0.val_int, write) + unfold acc(struct$m_Node(_5.val_ref), read$()) + unfold acc(i32(_5.val_ref.f$elem), read$()) + _0.val_int := _5.val_ref.f$elem.val_int + label l6 + // expire_borrows ReborrowingDAG(L5,) + + if (__t2) { + // expire loan L5 + fold acc(i32(_5.val_ref.f$elem), read$()) + fold acc(struct$m_Node(_5.val_ref), read$()) + exhale acc(struct$m_Node(_5.val_ref), read$()) + } + // [mir] goto -> bb9 + goto bb3 + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--len-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--len-Both.vpr new file mode 100644 index 00000000..7e771485 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--len-Both.vpr @@ -0,0 +1,471 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$head: Ref + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_List(self: Ref) { + acc(self.f$head, write) && acc(m_Link$_beg_$_end_(self.f$head), write) +} + +predicate struct$m_Node(self: Ref) + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +predicate usize(self: Ref) { + acc(self.val_int, write) && 0 <= self.val_int +} + +method m_List$$len() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#2}::len" + // Span: tests/verify/pass/larger/first-final.rs:113:5: 115:6 (#0) + __t0 := false + __t1 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(struct$m_List(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] _2 = &((*_1).0: Link) + _2 := builtin$havoc_ref() + inhale acc(_2.val_ref, write) + unfold acc(struct$m_List(_1.val_ref), read$()) + _2.val_ref := _1.val_ref.f$head + inhale acc(m_Link$_beg_$_end_(_2.val_ref), read$()) + label l0 + // [mir] _0 = Link::len(move _2) -> [return: bb1, unwind: bb2] + label l1 + _0 := builtin$havoc_ref() + inhale acc(usize(_0), write) + inhale (unfolding acc(usize(_0), write) in _0.val_int) == + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_2.val_ref)) + // transfer perm _2.val_ref --> old[l1](_2.val_ref) // unchecked: false + // ========== l2 ========== + // MIR edge bb0 --> bb1 + // Expire borrows + // expire_borrows ReborrowingDAG(L3,L4,) + + if (__t0 && __t0) { + // expire loan L4 + // transfer perm old[l1](_2.val_ref) --> old[l0](_2.val_ref) // unchecked: false + exhale acc(m_Link$_beg_$_end_(old[l0](_2.val_ref)), read$()) + } + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l4 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_List(_1.val_ref), read$()) + // obtain acc(struct$m_List(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + // obtain acc(usize(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_List(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(usize(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--lookup-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--lookup-Both.vpr new file mode 100644 index 00000000..5f1fa30f --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--lookup-Both.vpr @@ -0,0 +1,564 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + + function mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + + function mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_List { + + function cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0: Snap$m_Link$_beg_$_end_): Snap$struct$m_List + + function Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_List): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_List$0$injectivity { + (forall _l_0: Snap$m_Link$_beg_$_end_, _r_0: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0), + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) } + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0) == + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_List$0$field$f$head$axiom { + (forall _0: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) } + Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$head: Ref + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1, + _2), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + (_2 != 0 ? + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)), + _2 - 1) : + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + requires true + requires true + ensures true + ensures 0 <= result + ensures [result == + mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1), + true] +{ + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1)) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(self: Ref): Snap$struct$m_List + requires acc(struct$m_List(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List((unfolding acc(struct$m_List(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$head))) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_List(self: Ref) { + acc(self.f$head, write) && acc(m_Link$_beg_$_end_(self.f$head), write) +} + +predicate struct$m_Node(self: Ref) + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +method m_List$$lookup() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Ref + var _4: Int + + label start + // ========== start ========== + // Def path: "first_final::{impl#2}::lookup" + // Span: tests/verify/pass/larger/first-final.rs:119:5: 121:6 (#0) + __t0 := false + __t1 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_List(_1.val_ref), read$()) && _2 >= 0) + inhale 0 <= _2 && + _2 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] _3 = &((*_1).0: Link) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + unfold acc(struct$m_List(_1.val_ref), read$()) + _3.val_ref := _1.val_ref.f$head + inhale acc(m_Link$_beg_$_end_(_3.val_ref), read$()) + label l0 + // [mir] StorageLive(_4) + // [mir] _4 = _2 + _4 := builtin$havoc_int() + inhale _2 >= 0 + _4 := _2 + label l1 + // [mir] _0 = Link::lookup(move _3, move _4) -> [return: bb1, unwind: bb2] + label l2 + _0 := builtin$havoc_ref() + inhale acc(i32(_0), write) + inhale (unfolding acc(i32(_0), write) in _0.val_int) == + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_3.val_ref), + _4) + // transfer perm _3.val_ref --> old[l2](_3.val_ref) // unchecked: false + // ========== l3 ========== + // MIR edge bb0 --> bb1 + // Expire borrows + // expire_borrows ReborrowingDAG(L3,L4,) + + if (__t0 && __t0) { + // expire loan L4 + // transfer perm old[l2](_3.val_ref) --> old[l0](_3.val_ref) // unchecked: false + exhale acc(m_Link$_beg_$_end_(old[l0](_3.val_ref)), read$()) + } + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_4) + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l5 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_List(_1.val_ref), read$()) + // obtain acc(struct$m_List(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_List(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--new-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--new-Both.vpr new file mode 100644 index 00000000..96d94d16 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--new-Both.vpr @@ -0,0 +1,503 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + + function mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_List { + + function cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0: Snap$m_Link$_beg_$_end_): Snap$struct$m_List + + function Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_List): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_List$0$injectivity { + (forall _l_0: Snap$m_Link$_beg_$_end_, _r_0: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0), + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) } + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0) == + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_List$0$field$f$head$axiom { + (forall _0: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) } + Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$head: Ref + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + requires true + requires true + ensures true + ensures 0 <= result + ensures [result == + mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1), + true] +{ + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1)) +} + +function m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_Link$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(self: Ref): Snap$struct$m_List + requires acc(struct$m_List(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List((unfolding acc(struct$m_List(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$head))) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_List(self: Ref) { + acc(self.f$head, write) && acc(m_Link$_beg_$_end_(self.f$head), write) +} + +predicate struct$m_Node(self: Ref) + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +method m_List$$new() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var _1: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#2}::new" + // Span: tests/verify/pass/larger/first-final.rs:124:5: 128:6 (#0) + __t0 := false + __t1 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_1) + // [mir] _1 = Link::Empty + _1 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(_1), write) + inhale m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_1) == + 0 + // [mir] _0 = List { head: move _1 } + _0 := builtin$havoc_ref() + inhale acc(struct$m_List(_0), write) + unfold acc(struct$m_List(_0), write) + _0.f$head := _1 + label l0 + // [mir] drop(_1) -> [return: bb1, unwind: bb2] + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_1) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l2 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(struct$m_List(_0), write) + // obtain acc(struct$m_List(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_0)) == + 0 + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(struct$m_List(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--pop-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--pop-Both.vpr new file mode 100644 index 00000000..ca2f34b0 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--pop-Both.vpr @@ -0,0 +1,948 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + + function mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + + function mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + + function mirror_simple$f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1: Snap$struct$m_List, + _2: Int): Int + + function mirror_simple$f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + + function mirror_simple$f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + + function mirror_simple$f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1: Snap$m_TrustedOption$_beg_$_end_): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$m_TrustedOption$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0: Int): Snap$m_TrustedOption$_beg_$_end_ + + function Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(): Snap$m_TrustedOption$_beg_$_end_ + + axiom Snap$m_TrustedOption$_beg_$_end_$discriminant_range { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$injectivity { + (forall _l_0: Int, _r_0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0), + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) } + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0) == + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$discriminant_axiom { + (forall _0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + 0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$axiom { + (forall _0: Int :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) } + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + _0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$valid { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + -2147483648 <= + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 2147483647) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$1$discriminant_axiom { + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_()) == + 1 + } +} + +domain Snap$struct$m_List { + + function cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0: Snap$m_Link$_beg_$_end_): Snap$struct$m_List + + function Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_List): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_List$0$injectivity { + (forall _l_0: Snap$m_Link$_beg_$_end_, _r_0: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0), + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) } + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0) == + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_List$0$field$f$head$axiom { + (forall _0: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) } + Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0: Int, + _1: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$injectivity { + (forall _l_0: Int, _l_1: Snap$m_Link$_beg_$_end_, _r_0: Int, _r_1: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Node$0$field$f$elem$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Node$0$field$f$next$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field enum_Some: Ref + +field f$0: Ref + +field f$elem: Ref + +field f$head: Ref + +field f$next: Ref + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1, + _2), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + (_2 != 0 ? + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)), + _2 - 1) : + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + requires true + requires true + ensures true + ensures 0 <= result + ensures [result == + mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1), + true] +{ + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1)) +} + +function f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1: Snap$struct$m_List, + _2: Int): Int + requires true + requires 0 <= _2 && _2 < f_List$$len__$TY$__Snap$struct$m_List$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1, _2), + true] +{ + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1), + _2) +} + +function f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1), + true] +{ + !(discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(_1) == + 0) +} + +function f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(_1) == + 0 +} + +function f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1: Snap$m_TrustedOption$_beg_$_end_): Int + requires true + requires f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1) + ensures true + ensures [result == + mirror_simple$f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(_1) == + 0 ? + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1) : + builtin$unreach__$TY$__$int$$$int$()) +} + +function m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_Link$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) +} + +function m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self: Ref): Snap$m_TrustedOption$_beg_$_end_ + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_() : + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + (unfolding acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), read$()) in + (unfolding acc(i32(self.enum_Some.f$0), read$()) in + self.enum_Some.f$0.val_int))))) +} + +function snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(self: Ref): Snap$struct$m_List + requires acc(struct$m_List(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List((unfolding acc(struct$m_List(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$head))) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node((unfolding acc(struct$m_Node(self), read$()) in + (unfolding acc(i32(self.f$elem), read$()) in self.f$elem.val_int)), (unfolding acc(struct$m_Node(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$next))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate m_TrustedOption$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), write))) +} + +predicate m_TrustedOption$_beg_$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(i32(self.f$0), write) +} + +predicate struct$m_List(self: Ref) { + acc(self.f$head, write) && acc(m_Link$_beg_$_end_(self.f$head), write) +} + +predicate struct$m_Node(self: Ref) { + acc(self.f$elem, write) && + (acc(i32(self.f$elem), write) && + (acc(self.f$next, write) && acc(m_Link$_beg_$_end_(self.f$next), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +method m_List$$pop() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Int + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Int + var _7: Ref + var _8: Ref + var _9: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#2}::pop" + // Span: tests/verify/pass/larger/first-final.rs:151:5: 161:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(struct$m_List(_1.val_ref), write) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = &mut ((*_1).0: Link) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + unfold acc(struct$m_List(_1.val_ref), write) + _4.val_ref := _1.val_ref.f$head + label l0 + // [mir] _3 = &mut (*_4) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + _3.val_ref := _4.val_ref + label l1 + // [mir] StorageLive(_5) + // [mir] _5 = Link::Empty + _5 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(_5), write) + inhale m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_5) == + 0 + // [mir] _2 = replace(move _3, move _5) -> [return: bb1, unwind: bb14] + label l2 + assert f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_5)) + assert true + exhale acc(_3.val_ref, write) && + (acc(m_Link$_beg_$_end_(_3.val_ref), write) && + acc(m_Link$_beg_$_end_(_5), write)) + _2 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(old[l2](_3.val_ref)), write) + inhale acc(m_Link$_beg_$_end_(_2), write) + inhale true + inhale f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(old[l2](_3.val_ref))) && + (old[l2](f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_3.val_ref))) == + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_2)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_2)) ==> + old[l2](f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_3.val_ref), + _0_quant_0)) == + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_2), + _0_quant_0)))) + label l3 + // ========== l4 ========== + // MIR edge bb0 --> bb1 + // Expire borrows + // expire_borrows ReborrowingDAG(L5,L1,L0,) + + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_5) + // [mir] StorageDead(_3) + // [mir] FakeRead(ForMatchedPlace(None), _2) + // [mir] _6 = discriminant(_2) + _6 := builtin$havoc_int() + _6 := m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_2) + // [mir] switchInt(move _6) -> [0: bb2, 1: bb3, otherwise: bb4] + __t11 := _6 + // Ignore default target bb4, as the compiler marked it as unreachable. + if (__t11 == 0) { + goto l4 + } + goto bb0 + + label bb0 + // ========== l5 ========== + // MIR edge bb1 --> bb3 + // ========== bb3 ========== + __t3 := true + // [mir] StorageLive(_7) + // [mir] _7 = move ((_2 as More).0: std::boxed::Box) + unfold acc(m_Link$_beg_$_end_(_2), write) + unfold acc(m_Link$_beg_$_end_More(_2.enum_More), write) + _7 := _2.enum_More.f$0 + label l7 + // [mir] StorageLive(_8) + // [mir] _8 = move ((*_7).1: Link) + unfold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_7), write) + unfold acc(struct$m_Node(_7.val_ref), write) + _8 := _7.val_ref.f$next + label l8 + // [mir] drop(((*_1).0: Link)) -> [return: bb6, unwind: bb7] + // ========== bb6 ========== + __t4 := true + // [mir] ((*_1).0: Link) = move _8 + _1.val_ref.f$head := _8 + label l9 + // [mir] drop(_8) -> [return: bb8, unwind: bb12] + // ========== bb8 ========== + __t5 := true + // [mir] StorageDead(_8) + // [mir] StorageLive(_9) + // [mir] _9 = ((*_7).0: i32) + _9 := builtin$havoc_ref() + inhale acc(_9.val_int, write) + unfold acc(i32(_7.val_ref.f$elem), write) + _9.val_int := _7.val_ref.f$elem.val_int + label l10 + // [mir] _0 = TrustedOption::Some(move _9) + _0 := builtin$havoc_ref() + inhale acc(m_TrustedOption$_beg_$_end_(_0), write) + inhale m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_0) == + 0 + // downcast _0 to enum_Some + + unfold acc(m_TrustedOption$_beg_$_end_(_0), write) + unfold acc(m_TrustedOption$_beg_$_end_Some(_0.enum_Some), write) + _0.enum_Some.f$0 := _9 + label l11 + // [mir] StorageDead(_9) + // [mir] drop(_7) -> [return: bb9, unwind: bb13] + // ========== bb9 ========== + __t6 := true + // [mir] StorageDead(_7) + // [mir] goto -> bb10 + // ========== l12 ========== + fold acc(i32(_0.enum_Some.f$0), write) + fold acc(m_TrustedOption$_beg_$_end_Some(_0.enum_Some), write) + fold acc(m_TrustedOption$_beg_$_end_(_0), write) + // drop Acc(_2.discriminant, write) (Pred(_2[enum_More].f$0, write)) + // drop Acc(_2[enum_More], write) (Pred(_2[enum_More].f$0, write)) + // drop Acc(_2[enum_More].f$0, write) (Pred(_2[enum_More].f$0, write)) + // drop Acc(_7.val_ref.f$next, write) (Acc(_7.val_ref.f$next, write)) + // drop Acc(_7.val_ref.f$elem.val_int, write) (Acc(_7.val_ref.f$elem.val_int, write)) + // drop Acc(_7.val_ref.f$elem, write) (Acc(_7.val_ref.f$elem, write)) + // drop Acc(_7.val_ref, write) (Acc(_7.val_ref, write)) + goto bb1 + + label bb1 + // ========== bb10 ========== + __t9 := true + // [mir] drop(_2) -> [return: bb11, unwind: bb15] + // ========== bb11 ========== + __t10 := true + // [mir] StorageDead(_4) + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l13 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(struct$m_List(_1.val_ref), write) + // obtain acc(struct$m_List(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + // obtain acc(m_TrustedOption$_beg_$_end_(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert (old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_0))) && + ((old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0)) == + 0) && + ((old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_0))) && + ((old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_0)) == + old[pre](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref), + 0))) && + ((old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0)) == + old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref)) - + 1)) && + (old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0)) ==> + old[pre](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0), + _0_quant_0)))))))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_List(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(m_TrustedOption$_beg_$_end_(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label l4 + // ========== l6 ========== + // MIR edge bb1 --> bb2 + // ========== bb2 ========== + __t7 := true + // [mir] falseEdge -> [real: bb5, imaginary: bb3] + // ========== bb5 ========== + __t8 := true + // [mir] _0 = TrustedOption::None + _0 := builtin$havoc_ref() + inhale acc(m_TrustedOption$_beg_$_end_(_0), write) + inhale m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_0) == + 1 + // [mir] goto -> bb10 + // ========== l14 ========== + // drop Pred(_2, write) (Pred(_2[enum_More].f$0, write)) + goto bb1 + + label return + // ========== bb4 ========== + __t2 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--push-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--push-Both.vpr new file mode 100644 index 00000000..7c0a55a5 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--List--push-Both.vpr @@ -0,0 +1,800 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + + function mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + + function mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + + function mirror_simple$f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1: Snap$struct$m_List, + _2: Int): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(): Snap$m_Link$_beg_$_end_ + + function cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + axiom Snap$m_Link$_beg_$_end_$discriminant_range { + (forall self: Snap$m_Link$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_Link$_beg_$_end_$0$discriminant_axiom { + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) == + 0 + } + + axiom Snap$m_Link$_beg_$_end_$1$injectivity { + (forall _l_0: Snap$struct$m_Node, _r_0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0), + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) } + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_l_0) == + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_Link$_beg_$_end_$1$discriminant_axiom { + (forall _0: Snap$struct$m_Node :: + { cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + 1) + } + + axiom Snap$m_Link$_beg_$_end_$1$field$f$0$axiom { + (forall _0: Snap$struct$m_Node :: + { Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) } + Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(_0)) == + _0) + } +} + +domain Snap$struct$m_List { + + function cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0: Snap$m_Link$_beg_$_end_): Snap$struct$m_List + + function Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_List): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_List$0$injectivity { + (forall _l_0: Snap$m_Link$_beg_$_end_, _r_0: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0), + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) } + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0) == + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_List$0$field$f$head$axiom { + (forall _0: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) } + Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0: Int, + _1: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$injectivity { + (forall _l_0: Int, _l_1: Snap$m_Link$_beg_$_end_, _r_0: Int, _r_1: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1), cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) } + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_l_0, + _l_1) == + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_r_0, + _r_1) ==> + _l_0 == _r_0 && _l_1 == _r_1) + } + + axiom Snap$struct$m_Node$0$field$f$elem$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _0) + } + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } + + axiom Snap$struct$m_Node$0$field$f$next$axiom { + (forall _0: Int, _1: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) } + Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_0, + _1)) == + _1) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_More: Ref + +field f$0: Ref + +field f$elem: Ref + +field f$head: Ref + +field f$next: Ref + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1, + _2), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + (_2 != 0 ? + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)), + _2 - 1) : + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + requires true + requires true + ensures true + ensures 0 <= result + ensures [result == + mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1), + true] +{ + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1)) +} + +function f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1: Snap$struct$m_List, + _2: Int): Int + requires true + requires 0 <= _2 && _2 < f_List$$len__$TY$__Snap$struct$m_List$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1, _2), + true] +{ + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1), + _2) +} + +function m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_Link$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_Link$_beg_$_end_(self), read$()) in self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node$Snap$m_Link$_beg_$_end_((unfolding acc(m_Link$_beg_$_end_(self), read$()) in + (unfolding acc(m_Link$_beg_$_end_More(self.enum_More), read$()) in + (unfolding acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.enum_More.f$0), read$()) in + snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self.enum_More.f$0.val_ref))))) : + cons$0$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_()) +} + +function snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(self: Ref): Snap$struct$m_List + requires acc(struct$m_List(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List((unfolding acc(struct$m_List(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$head))) +} + +function snap$__$TY$__Snap$struct$m_Node$struct$m_Node$Snap$struct$m_Node(self: Ref): Snap$struct$m_Node + requires acc(struct$m_Node(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_Node$$int$$Snap$m_Link$_beg_$_end_$Snap$struct$m_Node((unfolding acc(struct$m_Node(self), read$()) in + (unfolding acc(i32(self.f$elem), read$()) in self.f$elem.val_int)), (unfolding acc(struct$m_Node(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$next))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_More, write) && + acc(m_Link$_beg_$_end_More(self.enum_More), write))) +} + +predicate m_Link$_beg_$_end_More(self: Ref) { + acc(self.f$0, write) && + acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self.f$0), write) +} + +predicate struct$m_List(self: Ref) { + acc(self.f$head, write) && acc(m_Link$_beg_$_end_(self.f$head), write) +} + +predicate struct$m_Node(self: Ref) { + acc(self.f$elem, write) && + (acc(i32(self.f$elem), write) && + (acc(self.f$next, write) && acc(m_Link$_beg_$_end_(self.f$next), write))) +} + +predicate struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(self: Ref) { + acc(self.val_ref, write) && acc(struct$m_Node(self.val_ref), write) +} + +predicate tuple0$(self: Ref) { + true +} + +method m_List$$push() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var _aux_havoc_struct$m_Node: Ref + var _old$pre$0: Ref + var _1: Ref + var _2: Ref + var _3: Int + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Ref + var _11: Ref + var _12: Ref + var _13: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#2}::push" + // Span: tests/verify/pass/larger/first-final.rs:134:5: 141:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + (acc(struct$m_List(_1.val_ref), write) && acc(i32(_2), write)) + inhale true + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = &((*_1).0: Link) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + unfold acc(struct$m_List(_1.val_ref), write) + _4.val_ref := _1.val_ref.f$head + exhale acc(m_Link$_beg_$_end_(_1.val_ref.f$head), write - read$()) + inhale acc(m_Link$_beg_$_end_(_4.val_ref), read$()) + label l0 + // [mir] _3 = Link::len(move _4) -> [return: bb1, unwind: bb14] + label l1 + _3 := builtin$havoc_int() + inhale _3 >= 0 + inhale _3 == + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_4.val_ref)) + // transfer perm _4.val_ref --> old[l1](_4.val_ref) // unchecked: false + // ========== l2 ========== + // MIR edge bb0 --> bb1 + // Expire borrows + // expire_borrows ReborrowingDAG(L7,L0,) + + if (__t0 && __t0) { + // expire loan L0 + // transfer perm old[l1](_4.val_ref) --> old[l0](_4.val_ref) // unchecked: false + exhale acc(m_Link$_beg_$_end_(old[l0](_4.val_ref)), read$()) + inhale acc(m_Link$_beg_$_end_(_1.val_ref.f$head), write - read$()) + } + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_4) + // [mir] FakeRead(ForLet(None), _3) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] StorageLive(_7) + // [mir] _7 = _2 + _7 := builtin$havoc_ref() + inhale acc(_7.val_int, write) + unfold acc(i32(_2), write) + _7.val_int := _2.val_int + label l3 + // [mir] StorageLive(_8) + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = &mut ((*_1).0: Link) + _10 := builtin$havoc_ref() + inhale acc(_10.val_ref, write) + _10.val_ref := _1.val_ref.f$head + label l4 + // [mir] _9 = &mut (*_10) + _9 := builtin$havoc_ref() + inhale acc(_9.val_ref, write) + _9.val_ref := _10.val_ref + label l5 + // [mir] StorageLive(_11) + // [mir] _11 = Link::Empty + _11 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(_11), write) + inhale m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_11) == + 0 + // [mir] _8 = replace(move _9, move _11) -> [return: bb2, unwind: bb13] + label l6 + assert f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_11)) + assert true + exhale acc(_9.val_ref, write) && + (acc(m_Link$_beg_$_end_(_9.val_ref), write) && + acc(m_Link$_beg_$_end_(_11), write)) + _8 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(old[l6](_9.val_ref)), write) + inhale acc(m_Link$_beg_$_end_(_8), write) + inhale true + inhale f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(old[l6](_9.val_ref))) && + (old[l6](f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_9.val_ref))) == + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_8)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_8)) ==> + old[l6](f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_9.val_ref), + _0_quant_0)) == + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(_8), + _0_quant_0)))) + label l7 + // ========== l8 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L6,L2,L1,) + + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_11) + // [mir] StorageDead(_9) + // [mir] _6 = Node { elem: move _7, next: move _8 } + _6 := builtin$havoc_ref() + inhale acc(struct$m_Node(_6), write) + unfold acc(struct$m_Node(_6), write) + _6.f$elem := _7 + label l9 + _6.f$next := _8 + label l10 + // [mir] drop(_8) -> [return: bb3, unwind: bb12] + // ========== bb3 ========== + __t3 := true + // [mir] StorageDead(_8) + // [mir] StorageDead(_7) + // [mir] _5 = std::boxed::Box::::new(move _6) -> [return: bb4, unwind: bb12] + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _aux_havoc_struct$m_Node := builtin$havoc_ref() + _5.val_ref := _aux_havoc_struct$m_Node + inhale acc(struct$m_Node(_5.val_ref), write) + _5.val_ref := _6 + label l11 + // ========== bb4 ========== + __t4 := true + // [mir] StorageDead(_6) + // [mir] FakeRead(ForLet(None), _5) + // [mir] StorageDead(_10) + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = move _5 + _13 := _5 + label l12 + // [mir] _12 = Link::More(move _13) + _12 := builtin$havoc_ref() + inhale acc(m_Link$_beg_$_end_(_12), write) + inhale m_Link$_beg_$_end_$$discriminant$$__$TY$__m_Link$_beg_$_end_$$int$(_12) == + 1 + // downcast _12 to enum_More + + unfold acc(m_Link$_beg_$_end_(_12), write) + unfold acc(m_Link$_beg_$_end_More(_12.enum_More), write) + _12.enum_More.f$0 := _13 + label l13 + // [mir] drop(_13) -> [return: bb5, unwind: bb10] + // ========== bb5 ========== + __t5 := true + // [mir] StorageDead(_13) + // [mir] drop(((*_1).0: Link)) -> [return: bb6, unwind: bb7] + // ========== bb6 ========== + __t6 := true + // [mir] ((*_1).0: Link) = move _12 + _1.val_ref.f$head := _12 + label l14 + // [mir] drop(_12) -> [return: bb8, unwind: bb11] + // ========== bb8 ========== + __t7 := true + // [mir] StorageDead(_12) + // [mir] _0 = const () + // [mir] drop(_5) -> [return: bb9, unwind: bb14] + // ========== bb9 ========== + __t8 := true + // [mir] StorageDead(_5) + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l16 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref.f$head.enum_More.f$0.val_ref.f$elem), write) + fold acc(struct$m_Node(_1.val_ref.f$head.enum_More.f$0.val_ref), write) + fold acc(struct$m_std$$boxed$$Box$struct$m_Node$struct$m_std$$alloc$$Global(_1.val_ref.f$head.enum_More.f$0), write) + fold acc(m_Link$_beg_$_end_More(_1.val_ref.f$head.enum_More), write) + fold acc(m_Link$_beg_$_end_(_1.val_ref.f$head), write) + fold acc(struct$m_List(_1.val_ref), write) + // obtain acc(struct$m_List(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + assert f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0)) == + old[pre](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref))) + + 1 && + (f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0), + 0) == + old[pre]((unfolding acc(i32(_2), write) in _2.val_int)) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(1 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0)) ==> + old[pre](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1.val_ref), + _0_quant_0 - 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_old$pre$0), + _0_quant_0)))) + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + exhale acc(struct$m_List(_old$pre$0), write) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_none-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_none-Both.vpr new file mode 100644 index 00000000..09b4db60 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_none-Both.vpr @@ -0,0 +1,464 @@ +domain Snap$m_TrustedOption$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0: Int): Snap$m_TrustedOption$_beg_$_end_ + + function Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(): Snap$m_TrustedOption$_beg_$_end_ + + axiom Snap$m_TrustedOption$_beg_$_end_$discriminant_range { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$injectivity { + (forall _l_0: Int, _r_0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0), + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) } + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0) == + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$discriminant_axiom { + (forall _0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + 0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$axiom { + (forall _0: Int :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) } + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + _0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$valid { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + -2147483648 <= + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 2147483647) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$1$discriminant_axiom { + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_()) == + 1 + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self: Ref): Snap$m_TrustedOption$_beg_$_end_ + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_() : + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + (unfolding acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), read$()) in + (unfolding acc(i32(self.enum_Some.f$0), read$()) in + self.enum_Some.f$0.val_int))))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_TrustedOption$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), write))) +} + +predicate m_TrustedOption$_beg_$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(i32(self.f$0), write) +} + +method m_TrustedOption$$is_none() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Int + var _old$pre$0: Ref + var _1: Ref + var _2: Int + + label start + // ========== start ========== + // Def path: "first_final::{impl#1}::is_none" + // Span: tests/verify/pass/larger/first-final.rs:77:5: 82:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(m_TrustedOption$_beg_$_end_(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] FakeRead(ForMatchedPlace(None), _1) + // [mir] _2 = discriminant((*_1)) + _2 := builtin$havoc_int() + _2 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_1.val_ref) + // [mir] switchInt(move _2) -> [0: bb1, 1: bb2, otherwise: bb3] + __t6 := _2 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t6 == 0) { + goto l0 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] _0 = const true + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := true + // [mir] goto -> bb5 + goto l1 + + label l0 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t3 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb2] + // ========== bb4 ========== + __t4 := true + // [mir] _0 = const false + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := false + // [mir] goto -> bb5 + goto l1 + + label l1 + // ========== bb5 ========== + __t5 := true + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l3 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(m_TrustedOption$_beg_$_end_(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(bool(_0), write) + // obtain acc(bool(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(m_TrustedOption$_beg_$_end_(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(bool(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_some-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_some-Both.vpr new file mode 100644 index 00000000..353fd359 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--is_some-Both.vpr @@ -0,0 +1,464 @@ +domain Snap$m_TrustedOption$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0: Int): Snap$m_TrustedOption$_beg_$_end_ + + function Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(): Snap$m_TrustedOption$_beg_$_end_ + + axiom Snap$m_TrustedOption$_beg_$_end_$discriminant_range { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$injectivity { + (forall _l_0: Int, _r_0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0), + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) } + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0) == + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$discriminant_axiom { + (forall _0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + 0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$axiom { + (forall _0: Int :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) } + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + _0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$valid { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + -2147483648 <= + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 2147483647) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$1$discriminant_axiom { + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_()) == + 1 + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self: Ref): Snap$m_TrustedOption$_beg_$_end_ + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_() : + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + (unfolding acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), read$()) in + (unfolding acc(i32(self.enum_Some.f$0), read$()) in + self.enum_Some.f$0.val_int))))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_TrustedOption$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), write))) +} + +predicate m_TrustedOption$_beg_$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(i32(self.f$0), write) +} + +method m_TrustedOption$$is_some() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Int + var _old$pre$0: Ref + var _1: Ref + var _2: Int + + label start + // ========== start ========== + // Def path: "first_final::{impl#1}::is_some" + // Span: tests/verify/pass/larger/first-final.rs:84:5: 89:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(m_TrustedOption$_beg_$_end_(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] FakeRead(ForMatchedPlace(None), _1) + // [mir] _2 = discriminant((*_1)) + _2 := builtin$havoc_int() + _2 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_1.val_ref) + // [mir] switchInt(move _2) -> [0: bb1, 1: bb2, otherwise: bb3] + __t6 := _2 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t6 == 0) { + goto l0 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] _0 = const false + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := false + // [mir] goto -> bb5 + goto l1 + + label l0 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t3 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb2] + // ========== bb4 ========== + __t4 := true + // [mir] _0 = const true + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := true + // [mir] goto -> bb5 + goto l1 + + label l1 + // ========== bb5 ========== + __t5 := true + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l3 + // Fold predicates for &mut args and transfer borrow permissions to old + // obtain acc(m_TrustedOption$_beg_$_end_(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(bool(_0), write) + // obtain acc(bool(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(m_TrustedOption$_beg_$_end_(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(bool(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--peek-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--peek-Both.vpr new file mode 100644 index 00000000..bc775950 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--TrustedOption--peek-Both.vpr @@ -0,0 +1,489 @@ +domain MirrorDomain { + + function mirror_simple$f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool +} + +domain Snap$m_TrustedOption$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0: Int): Snap$m_TrustedOption$_beg_$_end_ + + function Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(): Snap$m_TrustedOption$_beg_$_end_ + + axiom Snap$m_TrustedOption$_beg_$_end_$discriminant_range { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$injectivity { + (forall _l_0: Int, _r_0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0), + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) } + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0) == + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$discriminant_axiom { + (forall _0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + 0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$axiom { + (forall _0: Int :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) } + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + _0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$valid { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + -2147483648 <= + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 2147483647) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$1$discriminant_axiom { + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_()) == + 1 + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field val_int: Int + +field val_ref: Ref + +function f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(_1) == + 0 +} + +function m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self: Ref): Snap$m_TrustedOption$_beg_$_end_ + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_() : + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + (unfolding acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), read$()) in + (unfolding acc(i32(self.enum_Some.f$0), read$()) in + self.enum_Some.f$0.val_int))))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_TrustedOption$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), write))) +} + +predicate m_TrustedOption$_beg_$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(i32(self.f$0), write) +} + +method m_TrustedOption$$peek() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Int + var _old$pre$0: Ref + var _1: Ref + var _2: Int + var _3: Ref + + label start + // ========== start ========== + // Def path: "first_final::{impl#1}::peek" + // Span: tests/verify/pass/larger/first-final.rs:92:5: 97:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(m_TrustedOption$_beg_$_end_(_1.val_ref), read$()) + inhale f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_1.val_ref)) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] FakeRead(ForMatchedPlace(None), _1) + // [mir] _2 = discriminant((*_1)) + _2 := builtin$havoc_int() + _2 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_1.val_ref) + // [mir] switchInt(move _2) -> [0: bb1, 1: bb2, otherwise: bb3] + __t5 := _2 + // Ignore default target bb3, as the compiler marked it as unreachable. + if (__t5 == 0) { + goto l0 + } + goto bb0 + + label bb0 + // ========== l0 ========== + // MIR edge bb0 --> bb2 + // ========== bb2 ========== + __t2 := true + // [mir] StorageLive(_4) + // [mir] _4 = core::panicking::panic(const "internal error: entered unreachable code") -> bb5 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label l0 + // ========== l1 ========== + // MIR edge bb0 --> bb1 + // ========== bb1 ========== + __t3 := true + // [mir] falseEdge -> [real: bb4, imaginary: bb2] + // ========== bb4 ========== + __t4 := true + // [mir] StorageLive(_3) + // [mir] _3 = &(((*_1) as Some).0: i32) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) + unfold acc(m_TrustedOption$_beg_$_end_(_1.val_ref), read$()) + unfold acc(m_TrustedOption$_beg_$_end_Some(_1.val_ref.enum_Some), read$()) + _3.val_ref := _1.val_ref.enum_Some.f$0 + inhale acc(i32(_3.val_ref), read$()) + label l2 + // [mir] _0 = (*_3) + _0 := builtin$havoc_ref() + inhale acc(_0.val_int, write) + unfold acc(i32(_3.val_ref), read$()) + _0.val_int := _3.val_ref.val_int + label l3 + // expire_borrows ReborrowingDAG(L3,) + + if (__t4) { + // expire loan L3 + fold acc(i32(_3.val_ref), read$()) + exhale acc(i32(_3.val_ref), read$()) + } + // [mir] StorageDead(_3) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l5 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(m_TrustedOption$_beg_$_end_Some(_1.val_ref.enum_Some), read$()) + fold acc(m_TrustedOption$_beg_$_end_(_1.val_ref), read$()) + // obtain acc(m_TrustedOption$_beg_$_end_(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(i32(_0), write) + // obtain acc(i32(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(m_TrustedOption$_beg_$_end_(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(i32(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label return + // ========== bb3 ========== + __t1 := true + // [mir] unreachable + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--main-Both.vpr new file mode 100644 index 00000000..06c95197 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--main-Both.vpr @@ -0,0 +1,292 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + + label start + // ========== start ========== + // Def path: "first_final::main" + // Span: tests/verify/pass/larger/first-final.rs:227:1: 227:13 (#0) + __t0 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l1 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--test--basics-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--test--basics-Both.vpr new file mode 100644 index 00000000..51aacdef --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_larger_first-final_first-final.rs_first_final--test--basics-Both.vpr @@ -0,0 +1,1925 @@ +domain MirrorDomain { + + function mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + + function mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + + function mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + + function mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + + function mirror_simple$f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1: Snap$struct$m_List, + _2: Int): Int + + function mirror_simple$f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + + function mirror_simple$f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + + function mirror_simple$f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1: Snap$m_TrustedOption$_beg_$_end_): Int +} + +domain Snap$m_Link$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(self: Snap$m_Link$_beg_$_end_): Int + + function Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(self: Snap$m_Link$_beg_$_end_): Snap$struct$m_Node +} + +domain Snap$m_TrustedOption$_beg_$_end_ { + + function discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0: Int): Snap$m_TrustedOption$_beg_$_end_ + + function Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self: Snap$m_TrustedOption$_beg_$_end_): Int + + function cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(): Snap$m_TrustedOption$_beg_$_end_ + + axiom Snap$m_TrustedOption$_beg_$_end_$discriminant_range { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + 0 <= + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 1) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$injectivity { + (forall _l_0: Int, _r_0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0), + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) } + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_l_0) == + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$discriminant_axiom { + (forall _0: Int :: + { cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0) } + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + 0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$axiom { + (forall _0: Int :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) } + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_(_0)) == + _0) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$0$field$f$0$valid { + (forall self: Snap$m_TrustedOption$_beg_$_end_ :: + { Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) } + -2147483648 <= + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) && + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(self) <= + 2147483647) + } + + axiom Snap$m_TrustedOption$_beg_$_end_$1$discriminant_axiom { + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_()) == + 1 + } +} + +domain Snap$struct$m_List { + + function cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0: Snap$m_Link$_beg_$_end_): Snap$struct$m_List + + function Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_List): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_List$0$injectivity { + (forall _l_0: Snap$m_Link$_beg_$_end_, _r_0: Snap$m_Link$_beg_$_end_ :: + { cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0), + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) } + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_l_0) == + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_List$0$field$f$head$axiom { + (forall _0: Snap$m_Link$_beg_$_end_ :: + { Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) } + Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List(_0)) == + _0) + } +} + +domain Snap$struct$m_Node { + + function Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self: Snap$struct$m_Node): Int + + function Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(self: Snap$struct$m_Node): Snap$m_Link$_beg_$_end_ + + axiom Snap$struct$m_Node$0$field$f$elem$valid { + (forall self: Snap$struct$m_Node :: + { Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) } + -2147483648 <= + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) && + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(self) <= + 2147483647) + } +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field discriminant: Int + +field enum_Some: Ref + +field f$0: Ref + +field f$head: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function builtin$unreach__$TY$__$int$$$int$(): Int + requires false + + +function f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1: Snap$m_Link$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 +} + +function f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1: Snap$m_Link$_beg_$_end_): Int + requires true + requires true + ensures (!f_Link$$is_empty__$TY$__Snap$m_Link$_beg_$_end_$$bool$(_1) ==> + result > 0) && + result >= 0 + ensures 0 <= result + ensures [result == + mirror_simple$f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + 0 : + 1 + + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1: Snap$m_Link$_beg_$_end_, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(_1, + _2), + true] +{ + (discriminant$__$TY$__Snap$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_$$int$(_1) == + 0 ? + builtin$unreach__$TY$__$int$$$int$() : + (_2 != 0 ? + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_Node$0$field$f$next__$TY$__Snap$struct$m_Node$Snap$m_Link$_beg_$_end_(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)), + _2 - 1) : + Snap$struct$m_Node$0$field$f$elem__$TY$__Snap$struct$m_Node$$int$(Snap$m_Link$_beg_$_end_$1$field$f$0__$TY$__Snap$m_Link$_beg_$_end_$Snap$struct$m_Node(_1)))) +} + +function f_List$$len__$TY$__Snap$struct$m_List$$int$(_1: Snap$struct$m_List): Int + requires true + requires true + ensures true + ensures 0 <= result + ensures [result == + mirror_simple$f_List$$len__$TY$__Snap$struct$m_List$$int$(_1), + true] +{ + f_Link$$len__$TY$__Snap$m_Link$_beg_$_end_$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1)) +} + +function f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1: Snap$struct$m_List, + _2: Int): Int + requires true + requires 0 <= _2 && _2 < f_List$$len__$TY$__Snap$struct$m_List$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(_1, _2), + true] +{ + f_Link$$lookup__$TY$__Snap$m_Link$_beg_$_end_$$int$$$int$(Snap$struct$m_List$0$field$f$head__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_(_1), + _2) +} + +function f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1), + true] +{ + !(discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(_1) == + 0) +} + +function f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1: Snap$m_TrustedOption$_beg_$_end_): Bool + requires true + requires true + ensures true + ensures [result == + mirror_simple$f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1), + true] +{ + discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(_1) == + 0 +} + +function f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1: Snap$m_TrustedOption$_beg_$_end_): Int + requires true + requires f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(_1) + ensures true + ensures [result == + mirror_simple$f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1), + true] +{ + (discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(_1) == + 0 ? + Snap$m_TrustedOption$_beg_$_end_$0$field$f$0__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(_1) : + builtin$unreach__$TY$__$int$$$int$()) +} + +function m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(self: Ref): Int + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) + ensures 0 <= result && result <= 1 + ensures discriminant$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self)) == + result +{ + (unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) +} + +function snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self: Ref): Snap$m_Link$_beg_$_end_ + requires acc(m_Link$_beg_$_end_(self), read$()) + + +function snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(self: Ref): Snap$m_TrustedOption$_beg_$_end_ + requires acc(m_TrustedOption$_beg_$_end_(self), read$()) +{ + ((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + self.discriminant) == + 1 ? + cons$1$__$TY$__Snap$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_() : + cons$0$__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$$Snap$m_TrustedOption$_beg_$_end_((unfolding acc(m_TrustedOption$_beg_$_end_(self), read$()) in + (unfolding acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), read$()) in + (unfolding acc(i32(self.enum_Some.f$0), read$()) in + self.enum_Some.f$0.val_int))))) +} + +function snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(self: Ref): Snap$struct$m_List + requires acc(struct$m_List(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_List$Snap$m_Link$_beg_$_end_$Snap$struct$m_List((unfolding acc(struct$m_List(self), read$()) in + snap$__$TY$__Snap$m_Link$_beg_$_end_$m_Link$_beg_$_end_$Snap$m_Link$_beg_$_end_(self.f$head))) +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate m_Link$_beg_$_end_(self: Ref) + +predicate m_TrustedOption$_beg_$_end_(self: Ref) { + acc(self.discriminant, write) && + (0 <= self.discriminant && self.discriminant <= 1 && + (acc(self.enum_Some, write) && + acc(m_TrustedOption$_beg_$_end_Some(self.enum_Some), write))) +} + +predicate m_TrustedOption$_beg_$_end_Some(self: Ref) { + acc(self.f$0, write) && acc(i32(self.f$0), write) +} + +predicate struct$m_List(self: Ref) { + acc(self.f$head, write) && acc(m_Link$_beg_$_end_(self.f$head), write) +} + +predicate tuple0$(self: Ref) { + true +} + +method m_test$$basics() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var __t10: Bool + var __t11: Bool + var __t12: Bool + var __t13: Bool + var __t14: Bool + var __t15: Bool + var __t16: Bool + var __t17: Bool + var __t18: Bool + var __t19: Bool + var __t20: Bool + var __t21: Bool + var __t22: Bool + var __t23: Bool + var __t24: Bool + var __t25: Bool + var __t26: Bool + var __t27: Bool + var __t28: Bool + var __t29: Bool + var __t30: Bool + var __t31: Bool + var __t32: Bool + var __t33: Bool + var __t34: Bool + var __t35: Bool + var __t36: Bool + var __t37: Bool + var __t38: Bool + var __t39: Bool + var __t40: Bool + var __t41: Bool + var __t42: Bool + var __t43: Bool + var __t44: Bool + var __t45: Bool + var __t46: Bool + var __t47: Int + var __t48: Bool + var __t49: Int + var __t50: Bool + var __t51: Int + var __t52: Bool + var __t53: Int + var __t54: Bool + var __t55: Int + var __t56: Bool + var __t57: Bool + var _1: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _9: Ref + var _10: Ref + var _11: Ref + var _12: Ref + var _13: Ref + var _14: Ref + var _16: Ref + var _17: Ref + var _18: Int + var _19: Int + var _20: Ref + var _21: Ref + var _22: Int + var _26: Ref + var _27: Ref + var _28: Int + var _29: Int + var _30: Ref + var _31: Ref + var _32: Int + var _35: Ref + var _36: Ref + var _37: Ref + var _38: Ref + var _40: Ref + var _41: Ref + var _42: Int + var _43: Int + var _44: Ref + var _45: Ref + var _46: Int + var _50: Ref + var _51: Ref + var _52: Int + var _53: Int + var _54: Ref + var _55: Ref + var _56: Int + var _60: Ref + var _61: Ref + var _62: Int + var _63: Int + var _64: Ref + var _65: Ref + var _66: Int + var _70: Ref + var _71: Ref + var _72: Ref + var _73: Ref + var _74: Ref + var _t76: Ref + var _t77: Ref + var _t78: Ref + var _t79: Ref + var _t80: Ref + + label start + // ========== start ========== + // Def path: "first_final::test::basics" + // Span: tests/verify/pass/larger/first-final.rs:183:5: 224:6 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + __t10 := false + __t11 := false + __t12 := false + __t13 := false + __t14 := false + __t15 := false + __t16 := false + __t17 := false + __t18 := false + __t19 := false + __t20 := false + __t21 := false + __t22 := false + __t23 := false + __t24 := false + __t25 := false + __t26 := false + __t27 := false + __t28 := false + __t29 := false + __t30 := false + __t31 := false + __t32 := false + __t33 := false + __t34 := false + __t35 := false + __t36 := false + __t37 := false + __t38 := false + __t39 := false + __t40 := false + __t41 := false + __t42 := false + __t43 := false + __t44 := false + __t45 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_1) + // [mir] _1 = List::new() -> [return: bb1, unwind: bb47] + label l0 + _1 := builtin$havoc_ref() + inhale acc(struct$m_List(_1), write) + inhale true + inhale f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_1)) == + 0 + label l1 + // ========== bb1 ========== + __t1 := true + // [mir] FakeRead(ForLet(None), _1) + // [mir] StorageLive(_2) + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] StorageLive(_7) + // [mir] _7 = &mut _1 + _7 := builtin$havoc_ref() + inhale acc(_7.val_ref, write) + _7.val_ref := _1 + label l2 + // [mir] _6 = List::pop(move _7) -> [return: bb2, unwind: bb46] + label l3 + assert true + exhale acc(_7.val_ref, write) && acc(struct$m_List(_7.val_ref), write) + _6 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l3](_7.val_ref)), write) + inhale acc(m_TrustedOption$_beg_$_end_(_6), write) + inhale true + inhale (old[l3](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_6))) && + ((old[l3](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l3](_7.val_ref))) == + 0) && + ((old[l3](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_6))) && + ((old[l3](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_6)) == + old[l3](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref), + 0))) && + ((old[l3](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l3](_7.val_ref))) == + old[l3](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref)) - + 1)) && + (old[l3](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l3](_7.val_ref))) ==> + old[l3](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_7.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l3](_7.val_ref)), + _0_quant_0)))))))) + label l4 + // ========== l5 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L26,L0,) + + // ========== bb2 ========== + __t2 := true + // [mir] _5 = &_6 + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _6 + exhale acc(m_TrustedOption$_beg_$_end_(_6), write - read$()) + inhale acc(m_TrustedOption$_beg_$_end_(_5.val_ref), read$()) + label l6 + // [mir] StorageDead(_7) + // [mir] _4 = TrustedOption::is_none(move _5) -> [return: bb3, unwind: bb46] + label l7 + _4 := builtin$havoc_ref() + inhale acc(bool(_4), write) + inhale (unfolding acc(bool(_4), write) in _4.val_bool) == + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_5.val_ref)) + // transfer perm _5.val_ref --> old[l7](_5.val_ref) // unchecked: false + // ========== l8 ========== + // MIR edge bb2 --> bb3 + // Expire borrows + // expire_borrows ReborrowingDAG(L25,L1,) + + if (__t2 && __t2) { + // expire loan L1 + // transfer perm old[l7](_5.val_ref) --> old[l6](_5.val_ref) // unchecked: false + exhale acc(m_TrustedOption$_beg_$_end_(old[l6](_5.val_ref)), read$()) + inhale acc(m_TrustedOption$_beg_$_end_(_6), write - read$()) + } + // ========== bb3 ========== + __t3 := true + // [mir] StorageDead(_5) + // [mir] _3 = Not(move _4) + _3 := builtin$havoc_ref() + inhale acc(_3.val_bool, write) + unfold acc(bool(_4), write) + _3.val_bool := !_4.val_bool + // [mir] StorageDead(_6) + // [mir] StorageDead(_4) + // [mir] switchInt(move _3) -> [0: bb5, otherwise: bb4] + __t46 := _3.val_bool + if (__t46) { + goto bb12 + } + goto return + + label bb0 + // ========== l27 ========== + // MIR edge bb9 --> bb11 + // ========== bb11 ========== + __t10 := true + // [mir] StorageLive(_24) + // [mir] _24 = core::panicking::panic(const "internal error: entered unreachable code") -> bb46 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label bb1 + // ========== l28 ========== + // MIR edge bb9 --> bb10 + // ========== bb10 ========== + __t11 := true + // [mir] falseEdge -> [real: bb12, imaginary: bb11] + // ========== bb12 ========== + __t12 := true + // [mir] StorageLive(_19) + // [mir] _19 = ((_16 as Some).0: i32) + _19 := builtin$havoc_int() + unfold acc(m_TrustedOption$_beg_$_end_(_16), write) + unfold acc(m_TrustedOption$_beg_$_end_Some(_16.enum_Some), write) + unfold acc(i32(_16.enum_Some.f$0), write) + _19 := _16.enum_Some.f$0.val_int + label l29 + // [mir] StorageLive(_20) + // [mir] StorageLive(_21) + // [mir] StorageLive(_22) + // [mir] _22 = _19 + _22 := builtin$havoc_int() + _22 := _19 + label l30 + // [mir] _21 = Eq(move _22, const 3_i32) + _21 := builtin$havoc_ref() + inhale acc(_21.val_bool, write) + _21.val_bool := _22 == 3 + // [mir] StorageDead(_22) + // [mir] _20 = Not(move _21) + _20 := builtin$havoc_ref() + inhale acc(_20.val_bool, write) + _20.val_bool := !_21.val_bool + // [mir] StorageDead(_21) + // [mir] switchInt(move _20) -> [0: bb14, otherwise: bb13] + __t48 := _20.val_bool + if (__t48) { + goto bb10 + } + goto l5 + + label bb10 + // ========== l32 ========== + // MIR edge bb12 --> bb13 + // ========== bb13 ========== + __t13 := true + // [mir] StorageLive(_23) + // [mir] _23 = core::panicking::panic(const "assertion failed: val == 3") -> bb46 + // Rust panic - const "assertion failed: val == 3" + assert false + goto end_of_method + + label bb11 + // ========== l42 ========== + // MIR edge bb18 --> bb19 + // ========== bb19 ========== + __t19 := true + // [mir] StorageLive(_33) + // [mir] _33 = core::panicking::panic(const "assertion failed: val == 2") -> bb46 + // Rust panic - const "assertion failed: val == 2" + assert false + goto end_of_method + + label bb12 + // ========== l10 ========== + // MIR edge bb3 --> bb4 + // ========== bb4 ========== + __t4 := true + // [mir] StorageLive(_8) + // [mir] _8 = core::panicking::panic(const "assertion failed: list.pop().is_none()") -> bb46 + // Rust panic - const "assertion failed: list.pop().is_none()" + assert false + goto end_of_method + + label bb2 + // ========== l37 ========== + // MIR edge bb15 --> bb17 + // ========== bb17 ========== + __t16 := true + // [mir] StorageLive(_34) + // [mir] _34 = core::panicking::panic(const "internal error: entered unreachable code") -> bb46 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label bb3 + // ========== l41 ========== + // MIR edge bb18 --> bb20 + // ========== bb20 ========== + __t20 := true + // [mir] _25 = const () + // [mir] StorageDead(_30) + // [mir] StorageDead(_29) + // [mir] StorageDead(_26) + // [mir] StorageDead(_25) + // [mir] StorageLive(_35) + // [mir] StorageLive(_36) + // [mir] _36 = &mut _1 + _36 := builtin$havoc_ref() + inhale acc(_36.val_ref, write) + _36.val_ref := _1 + label l43 + // [mir] _35 = List::push(move _36, const 4_i32) -> [return: bb21, unwind: bb46] + label l44 + _t79 := builtin$havoc_ref() + inhale acc(i32(_t79), write) + assert true + exhale acc(_36.val_ref, write) && + (acc(struct$m_List(_36.val_ref), write) && acc(i32(_t79), write)) + _35 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l44](_36.val_ref)), write) + inhale acc(tuple0$(_35), write) + inhale true + inhale f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l44](_36.val_ref))) == + old[l44](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_36.val_ref))) + + 1 && + (f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l44](_36.val_ref)), + 0) == + old[l44](4) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(1 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l44](_36.val_ref))) ==> + old[l44](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_36.val_ref), + _0_quant_0 - 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l44](_36.val_ref)), + _0_quant_0)))) + label l45 + // ========== l46 ========== + // MIR edge bb20 --> bb21 + // Expire borrows + // expire_borrows ReborrowingDAG(L21,L7,) + + // ========== bb21 ========== + __t21 := true + // [mir] StorageDead(_36) + // [mir] StorageDead(_35) + // [mir] StorageLive(_37) + // [mir] StorageLive(_38) + // [mir] _38 = &mut _1 + _38 := builtin$havoc_ref() + inhale acc(_38.val_ref, write) + _38.val_ref := _1 + label l47 + // [mir] _37 = List::push(move _38, const 5_i32) -> [return: bb22, unwind: bb46] + label l48 + _t80 := builtin$havoc_ref() + inhale acc(i32(_t80), write) + assert true + exhale acc(_38.val_ref, write) && + (acc(struct$m_List(_38.val_ref), write) && acc(i32(_t80), write)) + _37 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l48](_38.val_ref)), write) + inhale acc(tuple0$(_37), write) + inhale true + inhale f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l48](_38.val_ref))) == + old[l48](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_38.val_ref))) + + 1 && + (f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l48](_38.val_ref)), + 0) == + old[l48](5) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(1 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l48](_38.val_ref))) ==> + old[l48](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_38.val_ref), + _0_quant_0 - 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l48](_38.val_ref)), + _0_quant_0)))) + label l49 + // ========== l50 ========== + // MIR edge bb21 --> bb22 + // Expire borrows + // expire_borrows ReborrowingDAG(L19,L8,) + + // ========== bb22 ========== + __t22 := true + // [mir] StorageDead(_38) + // [mir] StorageDead(_37) + // [mir] StorageLive(_39) + // [mir] StorageLive(_40) + // [mir] StorageLive(_41) + // [mir] _41 = &mut _1 + _41 := builtin$havoc_ref() + inhale acc(_41.val_ref, write) + _41.val_ref := _1 + label l51 + // [mir] _40 = List::pop(move _41) -> [return: bb23, unwind: bb46] + label l52 + assert true + exhale acc(_41.val_ref, write) && acc(struct$m_List(_41.val_ref), write) + _40 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l52](_41.val_ref)), write) + inhale acc(m_TrustedOption$_beg_$_end_(_40), write) + inhale true + inhale (old[l52](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_40))) && + ((old[l52](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l52](_41.val_ref))) == + 0) && + ((old[l52](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_40))) && + ((old[l52](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_40)) == + old[l52](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref), + 0))) && + ((old[l52](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l52](_41.val_ref))) == + old[l52](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref)) - + 1)) && + (old[l52](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l52](_41.val_ref))) ==> + old[l52](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_41.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l52](_41.val_ref)), + _0_quant_0)))))))) + label l53 + // ========== l54 ========== + // MIR edge bb22 --> bb23 + // Expire borrows + // expire_borrows ReborrowingDAG(L22,L9,) + + // ========== bb23 ========== + __t23 := true + // [mir] StorageDead(_41) + // [mir] FakeRead(ForMatchedPlace(None), _40) + // [mir] _42 = discriminant(_40) + _42 := builtin$havoc_int() + _42 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_40) + // [mir] switchInt(move _42) -> [0: bb24, otherwise: bb25] + __t51 := _42 + if (__t51 == 0) { + goto l10 + } + goto l9 + + label bb4 + // ========== l59 ========== + // MIR edge bb26 --> bb28 + // ========== bb28 ========== + __t28 := true + // [mir] _39 = const () + // [mir] StorageDead(_44) + // [mir] StorageDead(_43) + // [mir] StorageDead(_40) + // [mir] StorageDead(_39) + // [mir] StorageLive(_49) + // [mir] StorageLive(_50) + // [mir] StorageLive(_51) + // [mir] _51 = &mut _1 + _51 := builtin$havoc_ref() + inhale acc(_51.val_ref, write) + _51.val_ref := _1 + label l61 + // [mir] _50 = List::pop(move _51) -> [return: bb29, unwind: bb46] + label l62 + assert true + exhale acc(_51.val_ref, write) && acc(struct$m_List(_51.val_ref), write) + _50 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l62](_51.val_ref)), write) + inhale acc(m_TrustedOption$_beg_$_end_(_50), write) + inhale true + inhale (old[l62](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_50))) && + ((old[l62](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l62](_51.val_ref))) == + 0) && + ((old[l62](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_50))) && + ((old[l62](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_50)) == + old[l62](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref), + 0))) && + ((old[l62](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l62](_51.val_ref))) == + old[l62](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref)) - + 1)) && + (old[l62](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l62](_51.val_ref))) ==> + old[l62](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_51.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l62](_51.val_ref)), + _0_quant_0)))))))) + label l63 + // ========== l64 ========== + // MIR edge bb28 --> bb29 + // Expire borrows + // expire_borrows ReborrowingDAG(L28,L10,) + + // ========== bb29 ========== + __t29 := true + // [mir] StorageDead(_51) + // [mir] FakeRead(ForMatchedPlace(None), _50) + // [mir] _52 = discriminant(_50) + _52 := builtin$havoc_int() + _52 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_50) + // [mir] switchInt(move _52) -> [0: bb30, otherwise: bb31] + __t53 := _52 + if (__t53 == 0) { + goto l14 + } + goto bb5 + + label bb5 + // ========== l65 ========== + // MIR edge bb29 --> bb31 + // ========== bb31 ========== + __t30 := true + // [mir] StorageLive(_58) + // [mir] _58 = core::panicking::panic(const "internal error: entered unreachable code") -> bb46 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label bb6 + // ========== l69 ========== + // MIR edge bb32 --> bb34 + // ========== bb34 ========== + __t34 := true + // [mir] _49 = const () + // [mir] StorageDead(_54) + // [mir] StorageDead(_53) + // [mir] StorageDead(_50) + // [mir] StorageDead(_49) + // [mir] StorageLive(_59) + // [mir] StorageLive(_60) + // [mir] StorageLive(_61) + // [mir] _61 = &mut _1 + _61 := builtin$havoc_ref() + inhale acc(_61.val_ref, write) + _61.val_ref := _1 + label l71 + // [mir] _60 = List::pop(move _61) -> [return: bb35, unwind: bb46] + label l72 + assert true + exhale acc(_61.val_ref, write) && acc(struct$m_List(_61.val_ref), write) + _60 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l72](_61.val_ref)), write) + inhale acc(m_TrustedOption$_beg_$_end_(_60), write) + inhale true + inhale (old[l72](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_60))) && + ((old[l72](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l72](_61.val_ref))) == + 0) && + ((old[l72](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_60))) && + ((old[l72](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_60)) == + old[l72](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref), + 0))) && + ((old[l72](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l72](_61.val_ref))) == + old[l72](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref)) - + 1)) && + (old[l72](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l72](_61.val_ref))) ==> + old[l72](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_61.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l72](_61.val_ref)), + _0_quant_0)))))))) + label l73 + // ========== l74 ========== + // MIR edge bb34 --> bb35 + // Expire borrows + // expire_borrows ReborrowingDAG(L18,L11,) + + // ========== bb35 ========== + __t35 := true + // [mir] StorageDead(_61) + // [mir] FakeRead(ForMatchedPlace(None), _60) + // [mir] _62 = discriminant(_60) + _62 := builtin$havoc_int() + _62 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_60) + // [mir] switchInt(move _62) -> [0: bb36, otherwise: bb37] + __t55 := _62 + if (__t55 == 0) { + goto bb7 + } + goto l18 + + label bb7 + // ========== l76 ========== + // MIR edge bb35 --> bb36 + // ========== bb36 ========== + __t37 := true + // [mir] falseEdge -> [real: bb38, imaginary: bb37] + // ========== bb38 ========== + __t38 := true + // [mir] StorageLive(_63) + // [mir] _63 = ((_60 as Some).0: i32) + _63 := builtin$havoc_int() + unfold acc(m_TrustedOption$_beg_$_end_(_60), write) + unfold acc(m_TrustedOption$_beg_$_end_Some(_60.enum_Some), write) + unfold acc(i32(_60.enum_Some.f$0), write) + _63 := _60.enum_Some.f$0.val_int + label l77 + // [mir] StorageLive(_64) + // [mir] StorageLive(_65) + // [mir] StorageLive(_66) + // [mir] _66 = _63 + _66 := builtin$havoc_int() + _66 := _63 + label l78 + // [mir] _65 = Eq(move _66, const 1_i32) + _65 := builtin$havoc_ref() + inhale acc(_65.val_bool, write) + _65.val_bool := _66 == 1 + // [mir] StorageDead(_66) + // [mir] _64 = Not(move _65) + _64 := builtin$havoc_ref() + inhale acc(_64.val_bool, write) + _64.val_bool := !_65.val_bool + // [mir] StorageDead(_65) + // [mir] switchInt(move _64) -> [0: bb40, otherwise: bb39] + __t56 := _64.val_bool + if (__t56) { + goto bb9 + } + goto l22 + + label bb8 + // ========== l88 ========== + // MIR edge bb42 --> bb44 + // ========== bb44 ========== + __t44 := true + // [mir] _69 = const () + // [mir] StorageDead(_70) + // [mir] StorageDead(_69) + // [mir] _0 = const () + // [mir] drop(_1) -> [return: bb45, unwind: bb47] + // ========== bb45 ========== + __t45 := true + // [mir] StorageDead(_1) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l91 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + + label bb9 + // ========== l80 ========== + // MIR edge bb38 --> bb39 + // ========== bb39 ========== + __t39 := true + // [mir] StorageLive(_67) + // [mir] _67 = core::panicking::panic(const "assertion failed: val == 1") -> bb46 + // Rust panic - const "assertion failed: val == 1" + assert false + goto end_of_method + + label l10 + // ========== l56 ========== + // MIR edge bb23 --> bb24 + // ========== bb24 ========== + __t25 := true + // [mir] falseEdge -> [real: bb26, imaginary: bb25] + // ========== bb26 ========== + __t26 := true + // [mir] StorageLive(_43) + // [mir] _43 = ((_40 as Some).0: i32) + _43 := builtin$havoc_int() + unfold acc(m_TrustedOption$_beg_$_end_(_40), write) + unfold acc(m_TrustedOption$_beg_$_end_Some(_40.enum_Some), write) + unfold acc(i32(_40.enum_Some.f$0), write) + _43 := _40.enum_Some.f$0.val_int + label l57 + // [mir] StorageLive(_44) + // [mir] StorageLive(_45) + // [mir] StorageLive(_46) + // [mir] _46 = _43 + _46 := builtin$havoc_int() + _46 := _43 + label l58 + // [mir] _45 = Eq(move _46, const 5_i32) + _45 := builtin$havoc_ref() + inhale acc(_45.val_bool, write) + _45.val_bool := _46 == 5 + // [mir] StorageDead(_46) + // [mir] _44 = Not(move _45) + _44 := builtin$havoc_ref() + inhale acc(_44.val_bool, write) + _44.val_bool := !_45.val_bool + // [mir] StorageDead(_45) + // [mir] switchInt(move _44) -> [0: bb28, otherwise: bb27] + __t52 := _44.val_bool + if (__t52) { + goto l28 + } + goto bb4 + + label l14 + // ========== l66 ========== + // MIR edge bb29 --> bb30 + // ========== bb30 ========== + __t31 := true + // [mir] falseEdge -> [real: bb32, imaginary: bb31] + // ========== bb32 ========== + __t32 := true + // [mir] StorageLive(_53) + // [mir] _53 = ((_50 as Some).0: i32) + _53 := builtin$havoc_int() + unfold acc(m_TrustedOption$_beg_$_end_(_50), write) + unfold acc(m_TrustedOption$_beg_$_end_Some(_50.enum_Some), write) + unfold acc(i32(_50.enum_Some.f$0), write) + _53 := _50.enum_Some.f$0.val_int + label l67 + // [mir] StorageLive(_54) + // [mir] StorageLive(_55) + // [mir] StorageLive(_56) + // [mir] _56 = _53 + _56 := builtin$havoc_int() + _56 := _53 + label l68 + // [mir] _55 = Eq(move _56, const 4_i32) + _55 := builtin$havoc_ref() + inhale acc(_55.val_bool, write) + _55.val_bool := _56 == 4 + // [mir] StorageDead(_56) + // [mir] _54 = Not(move _55) + _54 := builtin$havoc_ref() + inhale acc(_54.val_bool, write) + _54.val_bool := !_55.val_bool + // [mir] StorageDead(_55) + // [mir] switchInt(move _54) -> [0: bb34, otherwise: bb33] + __t54 := _54.val_bool + if (__t54) { + goto l27 + } + goto bb6 + + label l18 + // ========== l75 ========== + // MIR edge bb35 --> bb37 + // ========== bb37 ========== + __t36 := true + // [mir] StorageLive(_68) + // [mir] _68 = core::panicking::panic(const "internal error: entered unreachable code") -> bb46 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label l22 + // ========== l79 ========== + // MIR edge bb38 --> bb40 + // ========== bb40 ========== + __t40 := true + // [mir] _59 = const () + // [mir] StorageDead(_64) + // [mir] StorageDead(_63) + // [mir] StorageDead(_60) + // [mir] StorageDead(_59) + // [mir] StorageLive(_69) + // [mir] StorageLive(_70) + // [mir] StorageLive(_71) + // [mir] StorageLive(_72) + // [mir] StorageLive(_73) + // [mir] StorageLive(_74) + // [mir] _74 = &mut _1 + _74 := builtin$havoc_ref() + inhale acc(_74.val_ref, write) + _74.val_ref := _1 + label l81 + // [mir] _73 = List::pop(move _74) -> [return: bb41, unwind: bb46] + label l82 + assert true + exhale acc(_74.val_ref, write) && acc(struct$m_List(_74.val_ref), write) + _73 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l82](_74.val_ref)), write) + inhale acc(m_TrustedOption$_beg_$_end_(_73), write) + inhale true + inhale (old[l82](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_73))) && + ((old[l82](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l82](_74.val_ref))) == + 0) && + ((old[l82](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_73))) && + ((old[l82](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_73)) == + old[l82](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref), + 0))) && + ((old[l82](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l82](_74.val_ref))) == + old[l82](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref)) - + 1)) && + (old[l82](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l82](_74.val_ref))) ==> + old[l82](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_74.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l82](_74.val_ref)), + _0_quant_0)))))))) + label l83 + // ========== l84 ========== + // MIR edge bb40 --> bb41 + // Expire borrows + // expire_borrows ReborrowingDAG(L23,L12,) + + // ========== bb41 ========== + __t41 := true + // [mir] _72 = &_73 + _72 := builtin$havoc_ref() + inhale acc(_72.val_ref, write) + _72.val_ref := _73 + exhale acc(m_TrustedOption$_beg_$_end_(_73), write - read$()) + inhale acc(m_TrustedOption$_beg_$_end_(_72.val_ref), read$()) + label l85 + // [mir] StorageDead(_74) + // [mir] _71 = TrustedOption::is_none(move _72) -> [return: bb42, unwind: bb46] + label l86 + _71 := builtin$havoc_ref() + inhale acc(bool(_71), write) + inhale (unfolding acc(bool(_71), write) in _71.val_bool) == + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_72.val_ref)) + // transfer perm _72.val_ref --> old[l86](_72.val_ref) // unchecked: false + // ========== l87 ========== + // MIR edge bb41 --> bb42 + // Expire borrows + // expire_borrows ReborrowingDAG(L24,L13,) + + if (__t41 && __t41) { + // expire loan L13 + // transfer perm old[l86](_72.val_ref) --> old[l85](_72.val_ref) // unchecked: false + exhale acc(m_TrustedOption$_beg_$_end_(old[l85](_72.val_ref)), read$()) + inhale acc(m_TrustedOption$_beg_$_end_(_73), write - read$()) + } + // ========== bb42 ========== + __t42 := true + // [mir] StorageDead(_72) + // [mir] _70 = Not(move _71) + _70 := builtin$havoc_ref() + inhale acc(_70.val_bool, write) + unfold acc(bool(_71), write) + _70.val_bool := !_71.val_bool + // [mir] StorageDead(_73) + // [mir] StorageDead(_71) + // [mir] switchInt(move _70) -> [0: bb44, otherwise: bb43] + __t57 := _70.val_bool + if (__t57) { + goto l26 + } + goto bb8 + + label l26 + // ========== l89 ========== + // MIR edge bb42 --> bb43 + // ========== bb43 ========== + __t43 := true + // [mir] StorageLive(_75) + // [mir] _75 = core::panicking::panic(const "assertion failed: list.pop().is_none()") -> bb46 + // Rust panic - const "assertion failed: list.pop().is_none()" + assert false + goto end_of_method + + label l27 + // ========== l70 ========== + // MIR edge bb32 --> bb33 + // ========== bb33 ========== + __t33 := true + // [mir] StorageLive(_57) + // [mir] _57 = core::panicking::panic(const "assertion failed: val == 4") -> bb46 + // Rust panic - const "assertion failed: val == 4" + assert false + goto end_of_method + + label l28 + // ========== l60 ========== + // MIR edge bb26 --> bb27 + // ========== bb27 ========== + __t27 := true + // [mir] StorageLive(_47) + // [mir] _47 = core::panicking::panic(const "assertion failed: val == 5") -> bb46 + // Rust panic - const "assertion failed: val == 5" + assert false + goto end_of_method + + label l5 + // ========== l31 ========== + // MIR edge bb12 --> bb14 + // ========== bb14 ========== + __t14 := true + // [mir] _15 = const () + // [mir] StorageDead(_20) + // [mir] StorageDead(_19) + // [mir] StorageDead(_16) + // [mir] StorageDead(_15) + // [mir] StorageLive(_25) + // [mir] StorageLive(_26) + // [mir] StorageLive(_27) + // [mir] _27 = &mut _1 + _27 := builtin$havoc_ref() + inhale acc(_27.val_ref, write) + _27.val_ref := _1 + label l33 + // [mir] _26 = List::pop(move _27) -> [return: bb15, unwind: bb46] + label l34 + assert true + exhale acc(_27.val_ref, write) && acc(struct$m_List(_27.val_ref), write) + _26 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l34](_27.val_ref)), write) + inhale acc(m_TrustedOption$_beg_$_end_(_26), write) + inhale true + inhale (old[l34](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_26))) && + ((old[l34](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l34](_27.val_ref))) == + 0) && + ((old[l34](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_26))) && + ((old[l34](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_26)) == + old[l34](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref), + 0))) && + ((old[l34](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l34](_27.val_ref))) == + old[l34](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref)) - + 1)) && + (old[l34](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l34](_27.val_ref))) ==> + old[l34](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_27.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l34](_27.val_ref)), + _0_quant_0)))))))) + label l35 + // ========== l36 ========== + // MIR edge bb14 --> bb15 + // Expire borrows + // expire_borrows ReborrowingDAG(L20,L6,) + + // ========== bb15 ========== + __t15 := true + // [mir] StorageDead(_27) + // [mir] FakeRead(ForMatchedPlace(None), _26) + // [mir] _28 = discriminant(_26) + _28 := builtin$havoc_int() + _28 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_26) + // [mir] switchInt(move _28) -> [0: bb16, otherwise: bb17] + __t49 := _28 + if (__t49 == 0) { + goto l8 + } + goto bb2 + + label l8 + // ========== l38 ========== + // MIR edge bb15 --> bb16 + // ========== bb16 ========== + __t17 := true + // [mir] falseEdge -> [real: bb18, imaginary: bb17] + // ========== bb18 ========== + __t18 := true + // [mir] StorageLive(_29) + // [mir] _29 = ((_26 as Some).0: i32) + _29 := builtin$havoc_int() + unfold acc(m_TrustedOption$_beg_$_end_(_26), write) + unfold acc(m_TrustedOption$_beg_$_end_Some(_26.enum_Some), write) + unfold acc(i32(_26.enum_Some.f$0), write) + _29 := _26.enum_Some.f$0.val_int + label l39 + // [mir] StorageLive(_30) + // [mir] StorageLive(_31) + // [mir] StorageLive(_32) + // [mir] _32 = _29 + _32 := builtin$havoc_int() + _32 := _29 + label l40 + // [mir] _31 = Eq(move _32, const 2_i32) + _31 := builtin$havoc_ref() + inhale acc(_31.val_bool, write) + _31.val_bool := _32 == 2 + // [mir] StorageDead(_32) + // [mir] _30 = Not(move _31) + _30 := builtin$havoc_ref() + inhale acc(_30.val_bool, write) + _30.val_bool := !_31.val_bool + // [mir] StorageDead(_31) + // [mir] switchInt(move _30) -> [0: bb20, otherwise: bb19] + __t50 := _30.val_bool + if (__t50) { + goto bb11 + } + goto bb3 + + label l9 + // ========== l55 ========== + // MIR edge bb23 --> bb25 + // ========== bb25 ========== + __t24 := true + // [mir] StorageLive(_48) + // [mir] _48 = core::panicking::panic(const "internal error: entered unreachable code") -> bb46 + // Rust panic - const "internal error: entered unreachable code" + assert false + goto end_of_method + + label return + // ========== l9 ========== + // MIR edge bb3 --> bb5 + // ========== bb5 ========== + __t5 := true + // [mir] _2 = const () + // [mir] StorageDead(_3) + // [mir] StorageDead(_2) + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = &mut _1 + _10 := builtin$havoc_ref() + inhale acc(_10.val_ref, write) + _10.val_ref := _1 + label l11 + // [mir] _9 = List::push(move _10, const 1_i32) -> [return: bb6, unwind: bb46] + label l12 + _t76 := builtin$havoc_ref() + inhale acc(i32(_t76), write) + assert true + exhale acc(_10.val_ref, write) && + (acc(struct$m_List(_10.val_ref), write) && acc(i32(_t76), write)) + _9 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l12](_10.val_ref)), write) + inhale acc(tuple0$(_9), write) + inhale true + inhale f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l12](_10.val_ref))) == + old[l12](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_10.val_ref))) + + 1 && + (f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l12](_10.val_ref)), + 0) == + old[l12](1) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(1 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l12](_10.val_ref))) ==> + old[l12](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_10.val_ref), + _0_quant_0 - 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l12](_10.val_ref)), + _0_quant_0)))) + label l13 + // ========== l14 ========== + // MIR edge bb5 --> bb6 + // Expire borrows + // expire_borrows ReborrowingDAG(L17,L2,) + + // ========== bb6 ========== + __t6 := true + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] _12 = &mut _1 + _12 := builtin$havoc_ref() + inhale acc(_12.val_ref, write) + _12.val_ref := _1 + label l15 + // [mir] _11 = List::push(move _12, const 2_i32) -> [return: bb7, unwind: bb46] + label l16 + _t77 := builtin$havoc_ref() + inhale acc(i32(_t77), write) + assert true + exhale acc(_12.val_ref, write) && + (acc(struct$m_List(_12.val_ref), write) && acc(i32(_t77), write)) + _11 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l16](_12.val_ref)), write) + inhale acc(tuple0$(_11), write) + inhale true + inhale f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l16](_12.val_ref))) == + old[l16](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_12.val_ref))) + + 1 && + (f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l16](_12.val_ref)), + 0) == + old[l16](2) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(1 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l16](_12.val_ref))) ==> + old[l16](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_12.val_ref), + _0_quant_0 - 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l16](_12.val_ref)), + _0_quant_0)))) + label l17 + // ========== l18 ========== + // MIR edge bb6 --> bb7 + // Expire borrows + // expire_borrows ReborrowingDAG(L29,L3,) + + // ========== bb7 ========== + __t7 := true + // [mir] StorageDead(_12) + // [mir] StorageDead(_11) + // [mir] StorageLive(_13) + // [mir] StorageLive(_14) + // [mir] _14 = &mut _1 + _14 := builtin$havoc_ref() + inhale acc(_14.val_ref, write) + _14.val_ref := _1 + label l19 + // [mir] _13 = List::push(move _14, const 3_i32) -> [return: bb8, unwind: bb46] + label l20 + _t78 := builtin$havoc_ref() + inhale acc(i32(_t78), write) + assert true + exhale acc(_14.val_ref, write) && + (acc(struct$m_List(_14.val_ref), write) && acc(i32(_t78), write)) + _13 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l20](_14.val_ref)), write) + inhale acc(tuple0$(_13), write) + inhale true + inhale f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l20](_14.val_ref))) == + old[l20](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_14.val_ref))) + + 1 && + (f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l20](_14.val_ref)), + 0) == + old[l20](3) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(1 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l20](_14.val_ref))) ==> + old[l20](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_14.val_ref), + _0_quant_0 - 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l20](_14.val_ref)), + _0_quant_0)))) + label l21 + // ========== l22 ========== + // MIR edge bb7 --> bb8 + // Expire borrows + // expire_borrows ReborrowingDAG(L27,L4,) + + // ========== bb8 ========== + __t8 := true + // [mir] StorageDead(_14) + // [mir] StorageDead(_13) + // [mir] StorageLive(_15) + // [mir] StorageLive(_16) + // [mir] StorageLive(_17) + // [mir] _17 = &mut _1 + _17 := builtin$havoc_ref() + inhale acc(_17.val_ref, write) + _17.val_ref := _1 + label l23 + // [mir] _16 = List::pop(move _17) -> [return: bb9, unwind: bb46] + label l24 + assert true + exhale acc(_17.val_ref, write) && acc(struct$m_List(_17.val_ref), write) + _16 := builtin$havoc_ref() + inhale acc(struct$m_List(old[l24](_17.val_ref)), write) + inhale acc(m_TrustedOption$_beg_$_end_(_16), write) + inhale true + inhale (old[l24](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref))) == + 0 ==> + f_TrustedOption$$is_none__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_16))) && + ((old[l24](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref))) == + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l24](_17.val_ref))) == + 0) && + ((old[l24](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref))) > + 0 ==> + f_TrustedOption$$is_some__$TY$__Snap$m_TrustedOption$_beg_$_end_$$bool$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_16))) && + ((old[l24](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref))) > + 0 ==> + f_TrustedOption$$peek__$TY$__Snap$m_TrustedOption$_beg_$_end_$$int$(snap$__$TY$__Snap$m_TrustedOption$_beg_$_end_$m_TrustedOption$_beg_$_end_$Snap$m_TrustedOption$_beg_$_end_(_16)) == + old[l24](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref), + 0))) && + ((old[l24](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref))) > + 0 ==> + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l24](_17.val_ref))) == + old[l24](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref)) - + 1)) && + (old[l24](f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref))) > + 0 ==> + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + f_List$$len__$TY$__Snap$struct$m_List$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l24](_17.val_ref))) ==> + old[l24](f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(_17.val_ref), + _0_quant_0 + 1)) == + f_List$$lookup__$TY$__Snap$struct$m_List$$int$$$int$(snap$__$TY$__Snap$struct$m_List$struct$m_List$Snap$struct$m_List(old[l24](_17.val_ref)), + _0_quant_0)))))))) + label l25 + // ========== l26 ========== + // MIR edge bb8 --> bb9 + // Expire borrows + // expire_borrows ReborrowingDAG(L16,L5,) + + // ========== bb9 ========== + __t9 := true + // [mir] StorageDead(_17) + // [mir] FakeRead(ForMatchedPlace(None), _16) + // [mir] _18 = discriminant(_16) + _18 := builtin$havoc_int() + _18 := m_TrustedOption$_beg_$_end_$$discriminant$$__$TY$__m_TrustedOption$_beg_$_end_$$int$(_16) + // [mir] switchInt(move _18) -> [0: bb10, otherwise: bb11] + __t47 := _18 + if (__t47 == 0) { + goto bb1 + } + goto bb0 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--foo-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--foo-Both.vpr new file mode 100644 index 00000000..3c9e14b7 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--foo-Both.vpr @@ -0,0 +1,798 @@ +domain MirrorDomain { + + function mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + + function mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + + function mirror_simple$f_some_condition__$TY$__$int$$$bool$(_1: Int): Bool +} + +domain Snap$struct$m_VecWrapperI32 { + + function cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global): Snap$struct$m_VecWrapperI32 + + function Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Snap$struct$m_VecWrapperI32): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + + axiom Snap$struct$m_VecWrapperI32$0$injectivity { + (forall _l_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global, + _r_0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0), + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) } + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_l_0) == + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_r_0) ==> + _l_0 == _r_0) + } + + axiom Snap$struct$m_VecWrapperI32$0$field$f$v$axiom { + (forall _0: Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global :: + { Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) } + Snap$struct$m_VecWrapperI32$0$field$f$v__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32(_0)) == + _0) + } +} + +domain Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global { + + +} + +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field f$v: Ref + +field tuple_0: Ref + +field tuple_1: Ref + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1: Snap$struct$m_VecWrapperI32): Int + requires true + requires true + ensures result >= 0 && result < 18446744073709551615 + ensures 0 <= result + ensures [result == + mirror_simple$f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1), + true] + + +function f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1: Snap$struct$m_VecWrapperI32, + _2: Int): Int + requires true + requires 0 <= _2 && + _2 < f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(_1) + requires 0 <= _2 + ensures true + ensures [result == + mirror_simple$f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(_1, + _2), + true] + + +function f_some_condition__$TY$__$int$$$bool$(_1: Int): Bool + requires true + requires true + ensures true + ensures [result == mirror_simple$f_some_condition__$TY$__$int$$$bool$(_1), + true] +{ + _1 > 0 +} + +function snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(self: Ref): Snap$struct$m_VecWrapperI32 + requires acc(struct$m_VecWrapperI32(self), read$()) +{ + cons$0$__$TY$__Snap$struct$m_VecWrapperI32$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_VecWrapperI32((unfolding acc(struct$m_VecWrapperI32(self), read$()) in + snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v))) +} + +function snap$__$TY$__Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global$Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref): Snap$struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global + requires acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self), read$()) + + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +predicate struct$m_VecWrapperI32(self: Ref) { + acc(self.f$v, write) && + acc(struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self.f$v), write) +} + +predicate struct$m_std$$vec$$Vec$i32$struct$m_std$$alloc$$Global(self: Ref) + +predicate tuple0$(self: Ref) + +method m_foo() returns (_0: Ref) +{ + var __t0: Bool + var __t1: Bool + var __t2: Bool + var __t3: Bool + var __t4: Bool + var __t5: Bool + var __t6: Bool + var __t7: Bool + var __t8: Bool + var __t9: Bool + var _old$l2$0: Ref + var __t10: Bool + var __t11: Bool + var _1: Ref + var _2: Ref + var _3: Ref + var _4: Ref + var _5: Ref + var _6: Ref + var _7: Ref + var _8: Ref + var _9: Ref + var _10: Ref + var _11: Ref + var _12: Int + var _13: Ref + var _14: Ref + var _15: Ref + var _16: Ref + var _17: Int + var _t18: Int + var _t19: Ref + + label start + // ========== start ========== + // Def path: "borrow_first::foo" + // Span: tests/verify/pass/nll-rfc/borrow_first.rs:84:1: 93:2 (#0) + __t0 := false + __t1 := false + __t2 := false + __t3 := false + __t4 := false + __t5 := false + __t6 := false + __t7 := false + __t8 := false + __t9 := false + // Preconditions: + inhale acc(_1.val_ref, write) && + acc(struct$m_VecWrapperI32(_1.val_ref), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_1.val_ref)) > + 0 + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] StorageLive(_3) + // [mir] StorageLive(_4) + // [mir] _4 = &mut (*_1) + _4 := builtin$havoc_ref() + inhale acc(_4.val_ref, write) + _4.val_ref := _1.val_ref + label l0 + // [mir] _3 = VecWrapperI32::borrow(move _4, const 0_usize) -> [return: bb1, unwind: bb10] + label l1 + _t18 := builtin$havoc_int() + inhale _t18 >= 0 + assert 0 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_4.val_ref)) + assert true + exhale acc(_4.val_ref, write) && + (acc(struct$m_VecWrapperI32(_4.val_ref), write) && _t18 >= 0) + _3 := builtin$havoc_ref() + inhale acc(_3.val_ref, write) && acc(i32(_3.val_ref), write) + inhale true + label l2 + // ========== bb1 ========== + __t1 := true + // [mir] StorageDead(_4) + // [mir] FakeRead(ForLet(None), _3) + // [mir] StorageLive(_5) + // [mir] StorageLive(_6) + // [mir] StorageLive(_7) + // [mir] _7 = &(*_3) + _7 := builtin$havoc_ref() + inhale acc(_7.val_ref, write) + _7.val_ref := _3.val_ref + exhale acc(i32(_3.val_ref), write - read$()) + inhale acc(i32(_7.val_ref), read$()) + label l3 + // [mir] _6 = some_condition(move _7) -> [return: bb2, unwind: bb10] + label l4 + _6 := builtin$havoc_ref() + inhale acc(bool(_6), write) + inhale (unfolding acc(bool(_6), write) in _6.val_bool) == + f_some_condition__$TY$__$int$$$bool$((unfolding acc(i32(_7.val_ref), read$()) in + _7.val_ref.val_int)) + // transfer perm _7.val_ref --> old[l4](_7.val_ref) // unchecked: false + // ========== l5 ========== + // MIR edge bb1 --> bb2 + // Expire borrows + // expire_borrows ReborrowingDAG(L13,L1,) + + if (__t1 && __t1) { + // expire loan L1 + // transfer perm old[l4](_7.val_ref) --> old[l3](_7.val_ref) // unchecked: false + exhale acc(i32(old[l3](_7.val_ref)), read$()) + inhale acc(i32(_3.val_ref), write - read$()) + } + // ========== bb2 ========== + __t2 := true + // [mir] StorageDead(_7) + // [mir] switchInt(move _6) -> [0: bb4, otherwise: bb3] + unfold acc(bool(_6), write) + __t10 := _6.val_bool + if (__t10) { + goto bb0 + } + goto return + + label bb0 + // ========== l7 ========== + // MIR edge bb2 --> bb3 + // ========== bb3 ========== + __t3 := true + // [mir] StorageLive(_8) + // [mir] _8 = &mut (*_3) + _8 := builtin$havoc_ref() + inhale acc(_8.val_ref, write) + _8.val_ref := _3.val_ref + label l8 + // [mir] _5 = &mut (*_8) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _8.val_ref + label l9 + // [mir] StorageDead(_8) + // [mir] goto -> bb9 + // ========== l27 ========== + // drop Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + goto bb1 + + label bb1 + // ========== bb9 ========== + __t9 := true + // [mir] _2 = &mut (*_5) + _2 := builtin$havoc_ref() + inhale acc(_2.val_ref, write) + _2.val_ref := _5.val_ref + label l23 + // [mir] StorageDead(_6) + // [mir] StorageDead(_3) + // [mir] _0 = &mut (*_2) + _0 := builtin$havoc_ref() + inhale acc(_0.val_ref, write) + _0.val_ref := _2.val_ref + label l24 + // [mir] StorageDead(_5) + // [mir] StorageDead(_2) + // [mir] return + // obtain ((acc(i32(_0.val_ref), write)) && (true)) && (true) + label l25 + package acc(DeadBorrowToken$(-1), write) && + acc(i32(old[l25](_0.val_ref)), write) --* + acc(struct$m_VecWrapperI32(old[pre](_1.val_ref)), write) { + var _old$l21$0$p0: Ref + var _old$l2$0$p0: Ref + // expire_borrows ReborrowingDAG(L5,L4,L9,L3,L2,L18,L19,L14,L15,L8,L0,) + + if (__t9) { + // expire loan L5 + // transfer perm _0.val_ref --> old[l24](_2.val_ref) // unchecked: false + } + if (__t9 && __t9) { + // expire loan L4 + // transfer perm old[l24](_2.val_ref) --> old[l23](_2.val_ref) // unchecked: false + // transfer perm old[l23](_2.val_ref) --> old[l23](_5.val_ref) // unchecked: false + } + if (__t9 && __t9 && __t8) { + // restored (from log): Acc(_15.val_ref, write) + } + if (__t9 && __t9 && __t3) { + // restored (from log): Acc(_8.val_ref, write) + } + if (__t8 && (__t9 && __t9)) { + // expire loan L9 + // transfer perm old[l23](_5.val_ref) --> old[l22](_5.val_ref) // unchecked: false + // transfer perm old[l22](_5.val_ref) --> old[l22](_15.val_ref) // unchecked: false + } + if (__t3 && (__t9 && __t9)) { + // expire loan L3 + // transfer perm old[l23](_5.val_ref) --> old[l9](_5.val_ref) // unchecked: false + // transfer perm old[l9](_5.val_ref) --> old[l9](_8.val_ref) // unchecked: false + } + if (__t3 && (__t3 && (__t9 && __t9))) { + // expire loan L2 + // transfer perm old[l9](_8.val_ref) --> old[l8](_8.val_ref) // unchecked: false + // transfer perm old[l8](_8.val_ref) --> old[l8](_3.val_ref) // unchecked: false + } + if (__t0 && (__t3 && (__t3 && (__t9 && __t9)))) { + // expire loan L18 + _old$l2$0$p0 := old[l8](_3.val_ref) + inhale acc(DeadBorrowToken$(18), write) && + acc(i32(_old$l2$0$p0), write) --* + acc(struct$m_VecWrapperI32(old[l1](_4.val_ref)), write) + inhale acc(DeadBorrowToken$(18), write) + apply acc(DeadBorrowToken$(18), write) && + acc(i32(_old$l2$0$p0), write) --* + acc(struct$m_VecWrapperI32(old[l1](_4.val_ref)), write) + } + if (__t0 && (__t0 && (__t3 && (__t3 && (__t9 && __t9))))) { + // expire loan L19 + } + if (__t7 && (__t8 && (__t9 && __t9))) { + // expire loan L14 + _old$l21$0$p0 := old[l22](_15.val_ref) + inhale acc(DeadBorrowToken$(14), write) && + acc(i32(_old$l21$0$p0), write) --* + acc(struct$m_VecWrapperI32(old[l20](_16.val_ref)), write) + inhale acc(DeadBorrowToken$(14), write) + apply acc(DeadBorrowToken$(14), write) && + acc(i32(_old$l21$0$p0), write) --* + acc(struct$m_VecWrapperI32(old[l20](_16.val_ref)), write) + } + if (__t7 && (__t7 && (__t8 && (__t9 && __t9)))) { + // expire loan L15 + } + if (__t7 && (__t7 && (__t7 && (__t8 && (__t9 && __t9))))) { + // expire loan L8 + // transfer perm old[l20](_16.val_ref) --> old[l18](_16.val_ref) // unchecked: false + // transfer perm old[l18](_16.val_ref) --> _1.val_ref // unchecked: false + // drop Acc(_15.val_ref, write) (Acc(_15.val_ref, write)) + // restored (in branch merge): Acc(_15.val_ref, write) (Acc(_15.val_ref, write)) + // drop Acc(old[l22](_15.val_ref), write) (Acc(old[l22](_15.val_ref), write)) + } + if (__t0 && (__t0 && (__t0 && (__t3 && (__t3 && (__t9 && __t9)))))) { + // expire loan L0 + // transfer perm old[l1](_4.val_ref) --> old[l0](_4.val_ref) // unchecked: false + // transfer perm old[l0](_4.val_ref) --> _1.val_ref // unchecked: false + // drop Acc(old[l8](_3.val_ref), write) (Acc(old[l8](_3.val_ref), write)) + // drop Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + // restored (in branch merge): Acc(_8.val_ref, write) (Acc(_8.val_ref, write)) + } + // Fold predicates for &mut args + // transfer perm _1.val_ref --> old[pre](_1.val_ref) // unchecked: false + // obtain acc(struct$m_VecWrapperI32(old[pre](_1.val_ref)), write) + } + // transfer perm old[l25](_0.val_ref) --> _0.val_ref // unchecked: false + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l26 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + // obtain acc(i32(_0.val_ref), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(_0.val_ref, write) && acc(i32(_0.val_ref), write) + // Exhale permissions of postcondition (3/3) + exhale acc(DeadBorrowToken$(-1), write) && + acc(i32(old[l26](_0.val_ref)), write) --* + acc(struct$m_VecWrapperI32(old[pre](_1.val_ref)), write) + goto end_of_method + + label return + // ========== l6 ========== + // MIR edge bb2 --> bb4 + // Expire borrows + // expire_borrows ReborrowingDAG(L18,L19,L0,) + + if (__t0) { + // expire loan L18 + _old$l2$0 := _3.val_ref + inhale acc(DeadBorrowToken$(18), write) && acc(i32(_old$l2$0), write) --* + acc(struct$m_VecWrapperI32(old[l1](_4.val_ref)), write) + inhale acc(DeadBorrowToken$(18), write) + apply acc(DeadBorrowToken$(18), write) && acc(i32(_old$l2$0), write) --* + acc(struct$m_VecWrapperI32(old[l1](_4.val_ref)), write) + } + // ========== bb4 ========== + __t4 := true + // [mir] StorageLive(_9) + // [mir] StorageLive(_10) + // [mir] _10 = &mut (*_1) + _10 := builtin$havoc_ref() + inhale acc(_10.val_ref, write) + _10.val_ref := _1.val_ref + label l10 + // [mir] _9 = VecWrapperI32::push(move _10, const 5_i32) -> [return: bb5, unwind: bb10] + label l11 + _t19 := builtin$havoc_ref() + inhale acc(i32(_t19), write) + assert true + exhale acc(_10.val_ref, write) && + (acc(struct$m_VecWrapperI32(_10.val_ref), write) && + acc(i32(_t19), write)) + _9 := builtin$havoc_ref() + inhale acc(struct$m_VecWrapperI32(old[l11](_10.val_ref)), write) + inhale acc(tuple0$(_9), write) + inhale true + inhale f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l11](_10.val_ref))) == + old[l11](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref))) + + 1 && + (f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l11](_10.val_ref)), + old[l11](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref)))) == + old[l11](5) && + (forall _0_quant_0: Int ::0 <= _0_quant_0 ==> + !(0 <= _0_quant_0) || + (_0_quant_0 < + old[l11](f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref))) ==> + f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(old[l11](_10.val_ref)), + _0_quant_0) == + old[l11](f_VecWrapperI32$$lookup__$TY$__Snap$struct$m_VecWrapperI32$$int$$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_10.val_ref), + _0_quant_0))))) + label l12 + // ========== l13 ========== + // MIR edge bb4 --> bb5 + // Expire borrows + // expire_borrows ReborrowingDAG(L16,L6,) + + // ========== bb5 ========== + __t5 := true + // [mir] StorageDead(_10) + // [mir] StorageDead(_9) + // [mir] StorageLive(_11) + // [mir] StorageLive(_12) + // [mir] StorageLive(_13) + // [mir] _13 = &(*_1) + _13 := builtin$havoc_ref() + inhale acc(_13.val_ref, write) + _13.val_ref := _1.val_ref + exhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + inhale acc(struct$m_VecWrapperI32(_13.val_ref), read$()) + label l14 + // [mir] _12 = VecWrapperI32::len(move _13) -> [return: bb6, unwind: bb10] + label l15 + _12 := builtin$havoc_int() + inhale _12 >= 0 + inhale _12 == + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_13.val_ref)) + // transfer perm _13.val_ref --> old[l15](_13.val_ref) // unchecked: false + // ========== l16 ========== + // MIR edge bb5 --> bb6 + // Expire borrows + // expire_borrows ReborrowingDAG(L17,L7,) + + if (__t5 && __t5) { + // expire loan L7 + // transfer perm old[l15](_13.val_ref) --> old[l14](_13.val_ref) // unchecked: false + exhale acc(struct$m_VecWrapperI32(old[l14](_13.val_ref)), read$()) + inhale acc(struct$m_VecWrapperI32(_1.val_ref), write - read$()) + } + // ========== bb6 ========== + __t6 := true + // [mir] StorageDead(_13) + // [mir] _14 = CheckedSub(_12, const 1_usize) + _14 := builtin$havoc_ref() + inhale acc(_14.tuple_0, write) + inhale acc(_14.tuple_0.val_int, write) + inhale acc(_14.tuple_1, write) + inhale acc(_14.tuple_1.val_bool, write) + inhale _12 >= 0 + _14.tuple_0.val_int := _12 - 1 + _14.tuple_1.val_bool := false + // [mir] assert(!move (_14.1: bool), "attempt to compute `{} - {}`, which would overflow", move _12, const 1_usize) -> [success: bb7, unwind: bb10] + __t11 := _14.tuple_1.val_bool + // Rust assertion: attempt to subtract with overflow + assert !__t11 + // ========== bb7 ========== + __t7 := true + // [mir] _11 = move (_14.0: usize) + _11 := _14.tuple_0 + label l17 + // [mir] StorageDead(_12) + // [mir] FakeRead(ForLet(None), _11) + // [mir] StorageLive(_15) + // [mir] StorageLive(_16) + // [mir] _16 = &mut (*_1) + _16 := builtin$havoc_ref() + inhale acc(_16.val_ref, write) + _16.val_ref := _1.val_ref + label l18 + // [mir] StorageLive(_17) + // [mir] _17 = _11 + _17 := builtin$havoc_int() + _17 := _11.val_int + label l19 + // [mir] _15 = VecWrapperI32::borrow(move _16, move _17) -> [return: bb8, unwind: bb10] + label l20 + assert 0 <= _17 && + _17 < + f_VecWrapperI32$$len__$TY$__Snap$struct$m_VecWrapperI32$$int$(snap$__$TY$__Snap$struct$m_VecWrapperI32$struct$m_VecWrapperI32$Snap$struct$m_VecWrapperI32(_16.val_ref)) + assert true + assert _17 >= 0 + exhale acc(_16.val_ref, write) && + (acc(struct$m_VecWrapperI32(_16.val_ref), write) && _17 >= 0) + _15 := builtin$havoc_ref() + inhale acc(_15.val_ref, write) && acc(i32(_15.val_ref), write) + inhale true + label l21 + // ========== bb8 ========== + __t8 := true + // [mir] _5 = &mut (*_15) + _5 := builtin$havoc_ref() + inhale acc(_5.val_ref, write) + _5.val_ref := _15.val_ref + label l22 + // [mir] StorageDead(_17) + // [mir] StorageDead(_16) + // [mir] StorageDead(_11) + // [mir] StorageDead(_15) + // [mir] goto -> bb9 + // ========== l28 ========== + // drop Acc(_14.tuple_1.val_bool, write) (Acc(_14.tuple_1.val_bool, write)) + // drop Acc(old[l14](_13.val_ref), write) (Acc(old[l14](_13.val_ref), write)) + // drop Acc(_12.val_int, write) (Acc(_12.val_int, write)) + // drop Acc(_14.tuple_0, write) (Acc(_14.tuple_0, write)) + // drop Acc(_15.val_ref, write) (Acc(_15.val_ref, write)) + // drop Acc(_11.val_int, write) (Acc(_11.val_int, write)) + // drop Acc(_13.val_ref, write) (Acc(_13.val_ref, write)) + // drop Pred(_9, write) (Pred(_9, write)) + // drop Acc(_14.tuple_1, write) (Acc(_14.tuple_1, write)) + goto bb1 + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--main-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--main-Both.vpr new file mode 100644 index 00000000..d2e48081 --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--main-Both.vpr @@ -0,0 +1,292 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate tuple0$(self: Ref) { + true +} + +method m_main() returns (_0: Ref) +{ + var __t0: Bool + + label start + // ========== start ========== + // Def path: "borrow_first::main" + // Span: tests/verify/pass/nll-rfc/borrow_first.rs:95:1: 95:13 (#0) + __t0 := false + // Preconditions: + label pre + // ========== bb0 ========== + __t0 := true + // [mir] _0 = const () + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l1 + // Fold predicates for &mut args and transfer borrow permissions to old + // Fold the result + fold acc(tuple0$(_0), write) + // obtain acc(tuple0$(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + assert true + // Exhale permissions of postcondition (1/3) + // Exhale permissions of postcondition (2/3) + exhale acc(tuple0$(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--some_condition-Both.vpr b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--some_condition-Both.vpr new file mode 100644 index 00000000..dfb6545e --- /dev/null +++ b/src/test/resources/biabduction/frontends/prusti/tests_verify_pass_nll-rfc_borrow_first_borrow_first.rs_borrow_first--some_condition-Both.vpr @@ -0,0 +1,319 @@ +domain FloatDomain24e8 interpretation (SMTLIB: "(_ FloatingPoint 8 24)", Boogie: "float24e8") { + + function f32_from_bv(a: BitVectorDomain32): FloatDomain24e8 interpretation "(_ to_fp 8 24)" + + function f32_fp_add(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.add RNE" + + function f32_fp_sub(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.sub RNE" + + function f32_fp_mul(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.mul RNE" + + function f32_fp_div(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.div RNE" + + function f32_fp_min(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.min" + + function f32_fp_max(a: FloatDomain24e8, b: FloatDomain24e8): FloatDomain24e8 interpretation "fp.max" + + function f32_fp_eq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.eq" + + function f32_fp_leq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.leq" + + function f32_fp_geq(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.geq" + + function f32_fp_lt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.lt" + + function f32_fp_gt(a: FloatDomain24e8, b: FloatDomain24e8): Bool interpretation "fp.gt" + + function f32_fp_neg(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.neg" + + function f32_fp_abs(a: FloatDomain24e8): FloatDomain24e8 interpretation "fp.abs" + + function f32_fp_is_zero(a: FloatDomain24e8): Bool interpretation "fp.isZero" + + function f32_fp_is_infinite(a: FloatDomain24e8): Bool interpretation "fp.isInfinite" + + function f32_fp_is_nan(a: FloatDomain24e8): Bool interpretation "fp.isNaN" + + function f32_fp_is_negative(a: FloatDomain24e8): Bool interpretation "fp.isNegative" + + function f32_fp_is_positive(a: FloatDomain24e8): Bool interpretation "fp.isPositive" +} + +domain FloatDomain52e12 interpretation (SMTLIB: "(_ FloatingPoint 12 52)", Boogie: "float52e12") { + + function f64_from_bv(a: BitVectorDomain64): FloatDomain52e12 interpretation "(_ to_fp 12 52)" + + function f64_fp_add(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.add RNE" + + function f64_fp_sub(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.sub RNE" + + function f64_fp_mul(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.mul RNE" + + function f64_fp_div(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.div RNE" + + function f64_fp_min(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.min" + + function f64_fp_max(a: FloatDomain52e12, b: FloatDomain52e12): FloatDomain52e12 interpretation "fp.max" + + function f64_fp_eq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.eq" + + function f64_fp_leq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.leq" + + function f64_fp_geq(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.geq" + + function f64_fp_lt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.lt" + + function f64_fp_gt(a: FloatDomain52e12, b: FloatDomain52e12): Bool interpretation "fp.gt" + + function f64_fp_neg(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.neg" + + function f64_fp_abs(a: FloatDomain52e12): FloatDomain52e12 interpretation "fp.abs" + + function f64_fp_is_zero(a: FloatDomain52e12): Bool interpretation "fp.isZero" + + function f64_fp_is_infinite(a: FloatDomain52e12): Bool interpretation "fp.isInfinite" + + function f64_fp_is_nan(a: FloatDomain52e12): Bool interpretation "fp.isNaN" + + function f64_fp_is_negative(a: FloatDomain52e12): Bool interpretation "fp.isNegative" + + function f64_fp_is_positive(a: FloatDomain52e12): Bool interpretation "fp.isPositive" + + function f64_fp_typ(a: FloatDomain52e12): Bool interpretation "fp.typ" +} + +domain BitVectorDomain8 interpretation (SMTLIB: "(_ BitVec 8)", Boogie: "bv8") { + + function bv8_from_int(i: Int): BitVectorDomain8 interpretation "(_ int2bv 8)" + + function bv8_to_int(i: BitVectorDomain8): Int interpretation "(_ bv2int 8)" + + function bv8_and(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvand" + + function bv8_or(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvor" + + function bv8_xor(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvxor" + + function bv8_add(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvadd" + + function bv8_sub(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvsub" + + function bv8_mul(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvmul" + + function bv8_udiv(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvudiv" + + function bv8_shl(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvshl" + + function bv8_lshr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvlshr" + + function bv8_ashr(a: BitVectorDomain8, b: BitVectorDomain8): BitVectorDomain8 interpretation "bvashr" + + function bv8_not(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvnot" + + function bv8_neg(a: BitVectorDomain8): BitVectorDomain8 interpretation "bvneg" +} + +domain BitVectorDomain16 interpretation (SMTLIB: "(_ BitVec 16)", Boogie: "bv16") { + + function bv16_from_int(i: Int): BitVectorDomain16 interpretation "(_ int2bv 16)" + + function bv16_to_int(i: BitVectorDomain16): Int interpretation "(_ bv2int 16)" + + function bv16_and(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvand" + + function bv16_or(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvor" + + function bv16_xor(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvxor" + + function bv16_add(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvadd" + + function bv16_sub(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvsub" + + function bv16_mul(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvmul" + + function bv16_udiv(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvudiv" + + function bv16_shl(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvshl" + + function bv16_lshr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvlshr" + + function bv16_ashr(a: BitVectorDomain16, b: BitVectorDomain16): BitVectorDomain16 interpretation "bvashr" + + function bv16_not(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvnot" + + function bv16_neg(a: BitVectorDomain16): BitVectorDomain16 interpretation "bvneg" +} + +domain BitVectorDomain32 interpretation (SMTLIB: "(_ BitVec 32)", Boogie: "bv32") { + + function bv32_from_int(i: Int): BitVectorDomain32 interpretation "(_ int2bv 32)" + + function bv32_to_int(i: BitVectorDomain32): Int interpretation "(_ bv2int 32)" + + function bv32_and(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvand" + + function bv32_or(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvor" + + function bv32_xor(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvxor" + + function bv32_add(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvadd" + + function bv32_sub(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvsub" + + function bv32_mul(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvmul" + + function bv32_udiv(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvudiv" + + function bv32_shl(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvshl" + + function bv32_lshr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvlshr" + + function bv32_ashr(a: BitVectorDomain32, b: BitVectorDomain32): BitVectorDomain32 interpretation "bvashr" + + function bv32_not(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvnot" + + function bv32_neg(a: BitVectorDomain32): BitVectorDomain32 interpretation "bvneg" +} + +domain BitVectorDomain64 interpretation (SMTLIB: "(_ BitVec 64)", Boogie: "bv64") { + + function bv64_from_int(i: Int): BitVectorDomain64 interpretation "(_ int2bv 64)" + + function bv64_to_int(i: BitVectorDomain64): Int interpretation "(_ bv2int 64)" + + function bv64_and(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvand" + + function bv64_or(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvor" + + function bv64_xor(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvxor" + + function bv64_add(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvadd" + + function bv64_sub(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvsub" + + function bv64_mul(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvmul" + + function bv64_udiv(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvudiv" + + function bv64_shl(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvshl" + + function bv64_lshr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvlshr" + + function bv64_ashr(a: BitVectorDomain64, b: BitVectorDomain64): BitVectorDomain64 interpretation "bvashr" + + function bv64_not(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvnot" + + function bv64_neg(a: BitVectorDomain64): BitVectorDomain64 interpretation "bvneg" +} + +domain BitVectorDomain128 interpretation (SMTLIB: "(_ BitVec 128)", Boogie: "bv128") { + + function bv128_from_int(i: Int): BitVectorDomain128 interpretation "(_ int2bv 128)" + + function bv128_to_int(i: BitVectorDomain128): Int interpretation "(_ bv2int 128)" + + function bv128_and(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvand" + + function bv128_or(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvor" + + function bv128_xor(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvxor" + + function bv128_add(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvadd" + + function bv128_sub(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvsub" + + function bv128_mul(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvmul" + + function bv128_udiv(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvudiv" + + function bv128_shl(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvshl" + + function bv128_lshr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvlshr" + + function bv128_ashr(a: BitVectorDomain128, b: BitVectorDomain128): BitVectorDomain128 interpretation "bvashr" + + function bv128_not(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvnot" + + function bv128_neg(a: BitVectorDomain128): BitVectorDomain128 interpretation "bvneg" +} + +field val_bool: Bool + +field val_int: Int + +field val_ref: Ref + +function read$(): Perm + ensures none < result + ensures result < write + + +predicate DeadBorrowToken$(borrow: Int) + +predicate bool(self: Ref) { + acc(self.val_bool, write) +} + +predicate i32(self: Ref) { + acc(self.val_int, write) +} + +method m_some_condition() returns (_0: Ref) +{ + var __t0: Bool + var _old$pre$0: Ref + var _1: Ref + var _2: Int + + label start + // ========== start ========== + // Def path: "borrow_first::some_condition" + // Span: tests/verify/pass/nll-rfc/borrow_first.rs:78:1: 80:2 (#0) + __t0 := false + // Preconditions: + inhale acc(_1.val_ref, write) && acc(i32(_1.val_ref), read$()) + label pre + // ========== bb0 ========== + __t0 := true + // [mir] StorageLive(_2) + // [mir] _2 = (*_1) + _2 := builtin$havoc_int() + unfold acc(i32(_1.val_ref), read$()) + _2 := _1.val_ref.val_int + label l0 + // [mir] _0 = Gt(move _2, const 0_i32) + _0 := builtin$havoc_ref() + inhale acc(_0.val_bool, write) + _0.val_bool := _2 > 0 + // [mir] StorageDead(_2) + // [mir] return + // ========== return ========== + // Target of any 'return' statement. + // Exhale postcondition + label l2 + // Fold predicates for &mut args and transfer borrow permissions to old + fold acc(i32(_1.val_ref), read$()) + // obtain acc(i32(_1.val_ref), write) + _old$pre$0 := _1.val_ref + // Fold the result + fold acc(bool(_0), write) + // obtain acc(bool(_0), write) + // Assert possible strengthening + // Assert functional specification of postcondition + // Assert type invariants + // Exhale permissions of postcondition (1/3) + exhale acc(i32(_old$pre$0), read$()) + // Exhale permissions of postcondition (2/3) + exhale acc(bool(_0), write) + // Exhale permissions of postcondition (3/3) + goto end_of_method + label end_of_method +} + +method builtin$havoc_bool() returns (ret: Bool) + + +method builtin$havoc_int() returns (ret: Int) + + +method builtin$havoc_ref() returns (ret: Ref) diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BagStack-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BagStack-I.vl.vpr new file mode 100644 index 00000000..dc5d457d --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BagStack-I.vl.vpr @@ -0,0 +1,3838 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Bag_state_T(r: Ref, lvl: Int, z: Ref): Bool + + function BagList_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function Bag_interferenceReference_df($p0: Int, r: Ref, lvl: Int, z: Ref): Bool + + function BagList_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Bag_interferenceSet_df($p0: Int, r: Ref, lvl: Int, z: Ref): Set[Seq[Int]] + + function BagList_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Seq[Int]] +} + +domain atomicity_context_Domain { + + function Bag_atomicity_context_df(r: Ref, lvl: Int, z: Ref): Bool + + function BagList_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_seq_int_: Seq[Int] + +field $stepTo_seq_int_: Seq[Int] + +field $entry_$next: Ref + +field $entry_$_nextId: Ref + +field $entry_$_nextLvl: Int + +field $entry_$_nextState: Seq[Int] + +field $link_$val: Int + +field $link_$next: Ref + +field $link_$_nextId: Ref + +field $link_$_nextLvl: Int + +field $link_$_nextState: Seq[Int] + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function comprehension_113_220(): Set[Seq[Int]] + ensures (forall $k: Seq[Int] ::($k in result) == true) + + +function Bag_atomicity_context_hf(r: Ref, lvl: Int, z: Ref): Set[Seq[Int]] + requires acc(Bag_atomicity_context_fp(r, lvl, z), write) + ensures [Bag_atomicity_context_df(r, lvl, z), true] + + +function Bag_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, z: Ref): Set[Seq[Int]] + requires acc(Bag_interferenceContext_fp(r, lvl, z), write) + ensures [(forall $_m: Seq[Int] :: + { ($_m in result) } + ($_m in result) ==> ($_m in Bag_interferenceSet_df($p0, r, lvl, z))), + true] + + +function Bag_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag_interferenceContext_fp(r, lvl, z), write) + ensures [Bag_interferenceReference_df($p0, r, lvl, z), true] + + +function Bag_sk_$_action_p(r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag_sk_fp(), write) + + +function Bag_sk_$_action_q(r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag_sk_fp(), write) + + +function Bag_state(r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag(r, lvl, z), write) + ensures [Bag_state_T(r, lvl, z), true] +{ + (unfolding acc(Bag(r, lvl, z), write) in z.$entry_$_nextState) +} + +function BagList_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Seq[Int]] + requires acc(BagList_atomicity_context_fp(r, lvl, x), write) + ensures [BagList_atomicity_context_df(r, lvl, x), true] + + +function BagList_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Seq[Int]] + requires acc(BagList_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Seq[Int] :: + { ($_m in result) } + ($_m in result) ==> + ($_m in BagList_interferenceSet_df($p0, r, lvl, x))), + true] + + +function BagList_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList_interferenceContext_fp(r, lvl, x), write) + ensures [BagList_interferenceReference_df($p0, r, lvl, x), true] + + +function BagList_sk_$_action_p(r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList_sk_fp(), write) + + +function BagList_sk_$_action_q(r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList_sk_fp(), write) + + +function BagList_state(r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList(r, lvl, x), write) + ensures [BagList_state_T(r, lvl, x), true] +{ + (unfolding acc(BagList(r, lvl, x), write) in + (x == null ? Seq[Int]() : Seq(x.$link_$val) ++ x.$link_$_nextState)) +} + +predicate Bag_Z($r: Ref) + +predicate Bag_atomicity_context_fp(r: Ref, lvl: Int, z: Ref) + +predicate Bag_interferenceContext_fp(r: Ref, lvl: Int, z: Ref) + +predicate Bag_sk_fp() + +predicate Bag(r: Ref, lvl: Int, z: Ref) { + acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) && + (acc(BagList(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next), write) && + (z.$entry_$_nextLvl >= 0 && + BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next) == + z.$entry_$_nextState)) && + acc(BagList_G(z.$entry_$_nextId), write) && + z.$entry_$_nextLvl < lvl +} + +predicate BagList_G($r: Ref) + +predicate BagList_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate BagList_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate BagList_sk_fp() + +predicate BagList(r: Ref, lvl: Int, x: Ref) { + acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true))) && + (!(x == null) ? + acc(BagList(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next), write) && + (x.$link_$_nextLvl >= 0 && + BagList_state(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next) == + x.$link_$_nextState) && + acc(BagList_G(x.$link_$_nextId), write) && + x.$link_$_nextLvl < lvl : + true) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Seq_Int_() returns ($r: Seq[Int]) + + +method ___silicon_hack407_havoc_all_Bag() + + +method ___silicon_hack407_havoc_all_Bag_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_BagList() + + +method ___silicon_hack407_havoc_all_BagList_interferenceContext_fp() + + +method push(r: Ref, lvl: Int, z: Ref, n: Int) + requires acc(Bag(r, lvl, z), write) && + (lvl >= 0 && Bag_state(r, lvl, z) == Bag_state(r, lvl, z)) && + acc(Bag_Z(r), write) + requires (Bag_state(r, lvl, z) in comprehension_113_220()) + ensures acc(Bag(r, lvl, z), write) && + (lvl >= 0 && + Bag_state(r, lvl, z) == Seq(n) ++ old(Bag_state(r, lvl, z))) && + acc(Bag_Z(r), write) +{ + var x: Ref + var y: Ref + var y_state: Seq[Int] + var b: Bool + var c: Ref + var l: Int + var u: Ref + var ur: Ref + var ul: Int + var u_state: Seq[Int] + var u$: Ref + var ur$: Ref + var ul$: Int + var u_state$: Seq[Int] + var $_levelVar_0: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + inhale $_levelVar_0 >= 0 && $_levelVar_0 > lvl + assert $_levelVar_0 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Bag_interferenceSet_hf(0, r, lvl, z) == comprehension_113_220() + inhale Bag_interferenceReference_hf(0, r, lvl, z) == + old(Bag_state(r, lvl, z)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(Bag_Z(r), write) + exhale acc(Bag(r, lvl, z), write) + + // ------- Stabilising regions Bag,BagList (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize0](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize0](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize0](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize0](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize0](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (stabilizing frame before make-atomic) END + + $_levelVar_1 := lvl + assert perm(Bag_atomicity_context_fp(r, lvl, z)) == none + inhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + inhale Bag_atomicity_context_hf(r, lvl, z) == + Bag_interferenceSet_hf(0, r, lvl, z) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(Bag(r, lvl, z), write) && + (lvl >= 0 && + Bag_state(r, lvl, z) == Seq(n) ++ old(Bag_state(r, lvl, z))) && + acc(Bag_Z(r), write) + { + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_atomicity_context_fp($r, + $lvl, $z), old[preWhile0](perm(Bag_atomicity_context_fp($r, $lvl, $z))))) + inhale (forall $r: Ref, $lvl: Int, $z: Ref :: + { Bag_atomicity_context_df($r, $lvl, $z) } + none < old[preWhile0](perm(Bag_atomicity_context_fp($r, $lvl, $z))) ==> + Bag_atomicity_context_hf($r, $lvl, $z) == + old[preWhile0](Bag_atomicity_context_hf($r, $lvl, $z))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(BagList_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BagList_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(BagList_atomicity_context_fp($r, $lvl, $x))) ==> + BagList_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](BagList_atomicity_context_hf($r, $lvl, $x))) + inhale acc(Bag(r, lvl, z), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions Bag (before atomic) BEGIN + + label pre_stabilize + + // Stabilising single instance of region Bag + quasihavoc Bag(r, lvl, z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < perm(Bag_atomicity_context_fp(r, lvl, z)) ==> + (Bag_state(r, lvl, z) in Bag_atomicity_context_hf(r, lvl, z))) && + (Bag_state(r, lvl, z) == old[pre_stabilize](Bag_state(r, lvl, z)) || + Bag_sk_$_action_p(r, lvl, z) == + old[pre_stabilize](Bag_state(r, lvl, z)) && + Bag_sk_$_action_q(r, lvl, z) == Bag_state(r, lvl, z) && + true && + true) + + // ------- Stabilising regions Bag (before atomic) END + + + // ------- inhale BEGIN ------------ + + inhale acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$link_$val := n + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Bag,BagList (after heap-write@73.5) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(1, $r, $lvl, $z)) } + none < old[pre_stabilize2](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(1, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize2](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize2](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize2](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(1, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize2](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(1, $r, $lvl, $z) == + old[pre_stabilize2](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize2](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize2](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize2](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-write@73.5) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_0 > lvl + $_levelVar_2 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre0 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(1, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre0](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + y := z.$entry_$next + + // ------- heap-read END ----------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region0](Bag_state(r, lvl, z)) + $_levelVar_3 := $_levelVar_0 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@80.7) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(2, $r, $lvl, $z)) } + none < old[pre_stabilize3](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(2, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize3](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize3](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize3](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(2, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize3](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(2, $r, $lvl, $z) == + old[pre_stabilize3](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize3](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize3](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@80.7) END + + + // ------- heap-write BEGIN -------- + + x.$link_$next := y + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Bag,BagList (after heap-write@84.7) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(3, $r, $lvl, $z)) } + none < old[pre_stabilize4](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(3, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize4](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize4](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize4](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(3, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize4](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(3, $r, $lvl, $z) == + old[pre_stabilize4](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize4](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize4](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-write@84.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update0 + assert $_levelVar_3 > lvl + $_levelVar_4 := lvl + exhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(3, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u := z.$entry_$next + ur := z.$entry_$_nextId + ul := z.$entry_$_nextLvl + u_state := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + y_state := havoc_Seq_Int_() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale y_state == u_state + + // ------- assume END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call0 + assert $_levelVar_4 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call0](z.$entry_$next) == y ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == x) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call0](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- assume BEGIN ------------ + + inhale ul < l && l < lvl + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + createBagList(c, l, x, ur, ul, u_state) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, c, l) + + // ------- apply END --------------- + + assert $_levelVar_4 == $_levelVar_4 + } + $_levelVar_5 := $_levelVar_4 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + if (Bag_state(r, lvl, z) != + old[pre_region_update0](Bag_state(r, lvl, z))) { + inhale acc(r.$stepFrom_seq_int_, write) && + acc(r.$stepTo_seq_int_, write) + r.$stepFrom_seq_int_ := old[pre_region_update0](Bag_state(r, lvl, z)) + r.$stepTo_seq_int_ := Bag_state(r, lvl, z) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + inhale Bag_atomicity_context_hf(r, lvl, z) == + old[pre_region_update0](Bag_atomicity_context_hf(r, lvl, z)) + $_levelVar_6 := $_levelVar_3 + + // ------- update-region END ------- + + + // ------- Stabilising regions Bag,BagList (after update-region@86.7) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(4, $r, $lvl, $z)) } + none < old[pre_stabilize5](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(4, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize5](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize5](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize5](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(4, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize5](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(4, $r, $lvl, $z) == + old[pre_stabilize5](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize5](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize5](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after update-region@86.7) END + + + // ------- while BEGIN ------------- + + label preWhile + while (!b) + invariant acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) + invariant (!b ? + acc(r.$diamond, write) && + (acc(x.$link_$val, write) && x.$link_$val == n) && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) : + true) + invariant (b ? + acc(r.$stepFrom_seq_int_, write) && + r.$stepFrom_seq_int_ == y_state && + (acc(r.$stepTo_seq_int_, write) && + r.$stepTo_seq_int_ == Seq(n) ++ y_state) : + true) + { + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_atomicity_context_fp($r, + $lvl, $z), old[preWhile](perm(Bag_atomicity_context_fp($r, $lvl, $z))))) + inhale (forall $r: Ref, $lvl: Int, $z: Ref :: + { Bag_atomicity_context_df($r, $lvl, $z) } + none < + old[preWhile](perm(Bag_atomicity_context_fp($r, $lvl, $z))) ==> + Bag_atomicity_context_hf($r, $lvl, $z) == + old[preWhile](Bag_atomicity_context_hf($r, $lvl, $z))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(BagList_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BagList_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(BagList_atomicity_context_fp($r, $lvl, $x))) ==> + BagList_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](BagList_atomicity_context_hf($r, $lvl, $x))) + assert acc(Bag(r, lvl, z), write) + + // ------- Stabilising regions Bag (infer context for open-region) BEGIN + + label pre_stabilize6 + + // Stabilising single instance of region Bag + quasihavoc Bag_interferenceContext_fp(r, lvl, z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(5, r, lvl, z)) } + ($$_m in Bag_interferenceSet_hf(5, r, lvl, z)) == + ((none < perm(r.$diamond) && + none < perm(Bag_atomicity_context_fp(r, lvl, z)) ==> + ($$_m in Bag_atomicity_context_hf(r, lvl, z))) && + ($$_m == old[pre_stabilize6](Bag_state(r, lvl, z)) || + Bag_sk_$_action_p(r, lvl, z) == + old[pre_stabilize6](Bag_state(r, lvl, z)) && + Bag_sk_$_action_q(r, lvl, z) == $$_m && + true && + true))) + quasihavoc Bag(r, lvl, z) + inhale (Bag_state(r, lvl, z) in Bag_interferenceSet_hf(5, r, lvl, z)) + + // havoc performed by other front resource + + inhale Bag_interferenceReference_hf(5, r, lvl, z) == + old[pre_stabilize6](Bag_state(r, lvl, z)) + + // ------- Stabilising regions Bag (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_6 > lvl + $_levelVar_7 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre2 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(5, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre2](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + y := z.$entry_$next + + // ------- heap-read END ----------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region](Bag_state(r, lvl, z)) + $_levelVar_8 := $_levelVar_6 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@80.7) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(6, $r, $lvl, $z)) } + none < old[pre_stabilize7](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(6, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize7](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize7](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize7](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(6, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize7](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(6, $r, $lvl, $z) == + old[pre_stabilize7](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize7](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize7](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@80.7) END + + + // ------- heap-write BEGIN -------- + + x.$link_$next := y + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Bag,BagList (after heap-write@84.7) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(7, $r, $lvl, $z)) } + none < old[pre_stabilize8](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(7, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize8](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize8](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize8](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(7, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize8](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(7, $r, $lvl, $z) == + old[pre_stabilize8](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize8](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize8](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-write@84.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update + assert $_levelVar_8 > lvl + $_levelVar_9 := lvl + exhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre3 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(7, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre3](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u$ := z.$entry_$next + ur$ := z.$entry_$_nextId + ul$ := z.$entry_$_nextLvl + u_state$ := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + y_state := havoc_Seq_Int_() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale y_state == u_state$ + + // ------- assume END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call + assert $_levelVar_9 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call](z.$entry_$next) == y ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == x) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- assume BEGIN ------------ + + inhale ul$ < l && l < lvl + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + createBagList(c, l, x, ur$, ul$, u_state$) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, c, l) + + // ------- apply END --------------- + + assert $_levelVar_9 == $_levelVar_9 + } + $_levelVar_10 := $_levelVar_9 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + if (Bag_state(r, lvl, z) != + old[pre_region_update](Bag_state(r, lvl, z))) { + inhale acc(r.$stepFrom_seq_int_, write) && + acc(r.$stepTo_seq_int_, write) + r.$stepFrom_seq_int_ := old[pre_region_update](Bag_state(r, lvl, z)) + r.$stepTo_seq_int_ := Bag_state(r, lvl, z) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + inhale Bag_atomicity_context_hf(r, lvl, z) == + old[pre_region_update](Bag_atomicity_context_hf(r, lvl, z)) + $_levelVar_11 := $_levelVar_8 + + // ------- update-region END ------- + + + // ------- Stabilising regions Bag,BagList (after update-region@86.7) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(8, $r, $lvl, $z)) } + none < old[pre_stabilize9](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(8, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize9](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize9](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize9](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(8, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize9](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(8, $r, $lvl, $z) == + old[pre_stabilize9](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(8, $r, $lvl, $x)) } + none < old[pre_stabilize9](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(8, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize9](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize9](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(8, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(8, $r, $lvl, $x) == + old[pre_stabilize9](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after update-region@86.7) END + + assert $_levelVar_11 == $_levelVar_6 + } + $_levelVar_12 := $_levelVar_6 + + // ------- while END --------------- + + + // ------- Havocking regions Bag (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region Bag + quasihavocall $r: Ref, $lvl: Int, $z: Ref :: Bag($r, $lvl, $z) + + // ------- Havocking regions Bag (after atomic) END + + assert (r.$stepFrom_seq_int_ in Bag_atomicity_context_hf(r, lvl, z)) + assert true + inhale Bag_state(r, lvl, z) == r.$stepTo_seq_int_ + inhale old(Bag_state(r, lvl, z)) == r.$stepFrom_seq_int_ + inhale acc(Bag_Z(r), write) + exhale acc(r.$stepFrom_seq_int_, write) && + acc(r.$stepTo_seq_int_, write) + assert $_levelVar_12 == $_levelVar_0 + loopVar0 := false + } + $_levelVar_13 := $_levelVar_0 + exhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + + // ------- make-atomic END --------- + +} + +method pop(r: Ref, lvl: Int, z: Ref) returns (v: Int) + requires acc(Bag(r, lvl, z), write) && + (lvl >= 0 && Bag_state(r, lvl, z) == Bag_state(r, lvl, z)) && + acc(Bag_Z(r), write) + requires (Bag_state(r, lvl, z) in comprehension_113_220()) + ensures acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) && + old(Bag_state(r, lvl, z)) == Seq(v) ++ Bag_state(r, lvl, z) +{ + var t: Ref + var tn: Ref + var b: Bool + var x_state: Seq[Int] + var vi: Int + var jr: Ref + var jl: Int + var u: Ref + var ur: Ref + var ul: Int + var u_state: Seq[Int] + var n: Ref + var nr: Ref + var nl: Int + var n_state: Seq[Int] + var e: Int + var jr$: Ref + var jl$: Int + var u$: Ref + var ur$: Ref + var ul$: Int + var u_state$: Seq[Int] + var n$: Ref + var nr$: Ref + var nl$: Int + var n_state$: Seq[Int] + var e$: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + var $_levelVar_20: Int + var $_levelVar_21: Int + var $_levelVar_22: Int + var $_levelVar_23: Int + var $_levelVar_24: Int + var $_levelVar_25: Int + var $_levelVar_26: Int + var $_levelVar_27: Int + var $_levelVar_28: Int + var $_levelVar_29: Int + var $_levelVar_30: Int + var $_levelVar_31: Int + var $_levelVar_32: Int + var $_levelVar_33: Int + inhale $_levelVar_14 >= 0 && $_levelVar_14 > lvl + assert $_levelVar_14 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Bag_interferenceSet_hf(8, r, lvl, z) == comprehension_113_220() + inhale Bag_interferenceReference_hf(8, r, lvl, z) == + old(Bag_state(r, lvl, z)) + + // ------- make-atomic BEGIN ------- + + var loopVar: Bool + exhale acc(Bag_Z(r), write) + exhale acc(Bag(r, lvl, z), write) + + // ------- Stabilising regions Bag,BagList (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize10](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize10](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize10](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize10](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize10](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (stabilizing frame before make-atomic) END + + $_levelVar_15 := lvl + assert perm(Bag_atomicity_context_fp(r, lvl, z)) == none + inhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + inhale Bag_atomicity_context_hf(r, lvl, z) == + Bag_interferenceSet_hf(8, r, lvl, z) + label preWhile2 + loopVar := true + while (loopVar) + invariant !loopVar ==> + acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) && + old(Bag_state(r, lvl, z)) == Seq(v) ++ Bag_state(r, lvl, z) + { + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_atomicity_context_fp($r, + $lvl, $z), old[preWhile2](perm(Bag_atomicity_context_fp($r, $lvl, $z))))) + inhale (forall $r: Ref, $lvl: Int, $z: Ref :: + { Bag_atomicity_context_df($r, $lvl, $z) } + none < old[preWhile2](perm(Bag_atomicity_context_fp($r, $lvl, $z))) ==> + Bag_atomicity_context_hf($r, $lvl, $z) == + old[preWhile2](Bag_atomicity_context_hf($r, $lvl, $z))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_atomicity_context_fp($r, + $lvl, $x), old[preWhile2](perm(BagList_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BagList_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile2](perm(BagList_atomicity_context_fp($r, $lvl, $x))) ==> + BagList_atomicity_context_hf($r, $lvl, $x) == + old[preWhile2](BagList_atomicity_context_hf($r, $lvl, $x))) + inhale acc(Bag(r, lvl, z), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions Bag (before atomic) BEGIN + + label pre_stabilize11 + + // Stabilising single instance of region Bag + quasihavoc Bag(r, lvl, z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < perm(Bag_atomicity_context_fp(r, lvl, z)) ==> + (Bag_state(r, lvl, z) in Bag_atomicity_context_hf(r, lvl, z))) && + (Bag_state(r, lvl, z) == old[pre_stabilize11](Bag_state(r, lvl, z)) || + Bag_sk_$_action_p(r, lvl, z) == + old[pre_stabilize11](Bag_state(r, lvl, z)) && + Bag_sk_$_action_q(r, lvl, z) == Bag_state(r, lvl, z) && + true && + true) + + // ------- Stabilising regions Bag (before atomic) END + + + // ------- assign BEGIN ------------ + + b := false + + // ------- assign END -------------- + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_14 > lvl + $_levelVar_16 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre4 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(8, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre4](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + t := z.$entry_$next + + // ------- heap-read END ----------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && z.$entry_$next == t && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + jr := z.$entry_$_nextId + jl := z.$entry_$_nextLvl + + // ------- assert END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(BagList(jr, jl, t), write) && (jl >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(BagList(jr, jl, t), write) && (jl >= 0 && true) + + // ------- inhale END -------------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region2](Bag_state(r, lvl, z)) + $_levelVar_17 := $_levelVar_14 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@133.7) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(9, $r, $lvl, $z)) } + none < old[pre_stabilize12](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(9, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize12](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize12](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize12](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(9, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize12](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(9, $r, $lvl, $z) == + old[pre_stabilize12](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize12](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize12](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize12](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize12](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@133.7) END + + + // ------- if-then-else BEGIN ------ + + if (!(t == null)) { + assert acc(BagList(jr, jl, t), write) + + // ------- Stabilising regions BagList (infer context for open-region) BEGIN + + label pre_stabilize13 + + // Stabilising single instance of region BagList + quasihavoc BagList_interferenceContext_fp(jr, jl, t) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(10, jr, jl, t)) } + ($$_m in BagList_interferenceSet_hf(10, jr, jl, t)) == + ((none < perm(jr.$diamond) && + none < perm(BagList_atomicity_context_fp(jr, jl, t)) ==> + ($$_m in BagList_atomicity_context_hf(jr, jl, t))) && + ($$_m == old[pre_stabilize13](BagList_state(jr, jl, t)) || + BagList_sk_$_action_p(jr, jl, t) == + old[pre_stabilize13](BagList_state(jr, jl, t)) && + BagList_sk_$_action_q(jr, jl, t) == $$_m && + true && + perm(BagList_G(jr)) == none))) + quasihavoc BagList(jr, jl, t) + inhale (BagList_state(jr, jl, t) in + BagList_interferenceSet_hf(10, jr, jl, t)) + + // havoc performed by other front resource + + inhale BagList_interferenceReference_hf(10, jr, jl, t) == + old[pre_stabilize13](BagList_state(jr, jl, t)) + + // ------- Stabilising regions BagList (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region3 + assert $_levelVar_17 > jl + $_levelVar_18 := jl + unfold acc(BagList(jr, jl, t), write) + label transitionPre5 + quasihavoc BagList_interferenceContext_fp(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale !(t == null) ==> + BagList_interferenceReference_hf(10, t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) == + old[transitionPre5](BagList_state(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next)) + + // ------- heap-read BEGIN --------- + + tn := t.$link_$next + + // ------- heap-read END ----------- + + fold acc(BagList(jr, jl, t), write) + assert BagList_state(jr, jl, t) == + old[pre_open_region3](BagList_state(jr, jl, t)) + $_levelVar_19 := $_levelVar_17 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@144.9) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(11, $r, $lvl, $z)) } + none < old[pre_stabilize14](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(11, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize14](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize14](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize14](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(11, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize14](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(11, $r, $lvl, $z) == + old[pre_stabilize14](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(11, $r, $lvl, $x)) } + none < old[pre_stabilize14](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(11, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize14](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize14](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(11, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(11, $r, $lvl, $x) == + old[pre_stabilize14](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@144.9) END + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList(jr, jl, t), write) && (jl >= 0 && true) + + // ------- exhale END -------------- + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update2 + assert $_levelVar_19 > lvl + $_levelVar_20 := lvl + exhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre6 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(11, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre6](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u := z.$entry_$next + ur := z.$entry_$_nextId + ul := z.$entry_$_nextLvl + u_state := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call2 + assert $_levelVar_20 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call2](z.$entry_$next) == t ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == tn) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call2](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- unfold BEGIN ------------ + + assert ul >= 0 && true + unfold acc(BagList(ur, ul, t), write) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) BEGIN + + label pre_infer0 + + // Inferring interference all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(12, $r, $lvl, $z)) } + none < old[pre_infer0](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(12, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_infer0](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_infer0](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_infer0](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(12, $r, $lvl, $z) == + old[pre_infer0](Bag_state($r, $lvl, $z))) + + // Inferring interference all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(12, $r, $lvl, $x)) } + none < old[pre_infer0](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(12, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer0](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_infer0](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_infer0](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(12, $r, $lvl, $x) == + old[pre_infer0](BagList_state($r, $lvl, $x))) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) END + + + // ------- unfold END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList_G(ur), write) + + // ------- exhale END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$next, write) && true && + (acc(t.$link_$_nextId, write) && true && + (acc(t.$link_$_nextLvl, write) && true) && + (acc(t.$link_$_nextState, write) && true)) + n := t.$link_$next + nr := t.$link_$_nextId + nl := t.$link_$_nextLvl + n_state := t.$link_$_nextState + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale n == tn + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, nr, nl) + + // ------- apply END --------------- + + + // ------- havoc BEGIN ------------- + + x_state := havoc_Seq_Int_() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale x_state == n_state + + // ------- assume END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$val, write) && true + e := t.$link_$val + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + vi := havoc_Int() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale vi == e + + // ------- assume END -------------- + + assert $_levelVar_20 == $_levelVar_20 + } + $_levelVar_21 := $_levelVar_20 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + if (Bag_state(r, lvl, z) != + old[pre_region_update2](Bag_state(r, lvl, z))) { + inhale acc(r.$stepFrom_seq_int_, write) && + acc(r.$stepTo_seq_int_, write) + r.$stepFrom_seq_int_ := old[pre_region_update2](Bag_state(r, lvl, z)) + r.$stepTo_seq_int_ := Bag_state(r, lvl, z) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + inhale Bag_atomicity_context_hf(r, lvl, z) == + old[pre_region_update2](Bag_atomicity_context_hf(r, lvl, z)) + $_levelVar_22 := $_levelVar_19 + + // ------- update-region END ------- + + + // ------- Stabilising regions Bag,BagList (after update-region@150.9) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(13, $r, $lvl, $z)) } + none < old[pre_stabilize15](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(13, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize15](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize15](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize15](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(13, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize15](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(13, $r, $lvl, $z) == + old[pre_stabilize15](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(13, $r, $lvl, $x)) } + none < old[pre_stabilize15](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(13, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize15](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize15](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(13, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(13, $r, $lvl, $x) == + old[pre_stabilize15](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after update-region@150.9) END + + assert $_levelVar_22 == $_levelVar_17 + } + $_levelVar_23 := $_levelVar_17 + + // ------- if-then-else END -------- + + + // ------- while BEGIN ------------- + + label preWhile3 + while (!b) + invariant acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) + invariant (!b ? acc(r.$diamond, write) : true) + invariant (b ? + acc(r.$stepFrom_seq_int_, write) && + r.$stepFrom_seq_int_ == Seq(vi) ++ x_state && + (acc(r.$stepTo_seq_int_, write) && r.$stepTo_seq_int_ == x_state) && + (acc(t.$link_$val, write) && t.$link_$val == vi) : + true) + { + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_atomicity_context_fp($r, + $lvl, $z), old[preWhile3](perm(Bag_atomicity_context_fp($r, $lvl, + $z))))) + inhale (forall $r: Ref, $lvl: Int, $z: Ref :: + { Bag_atomicity_context_df($r, $lvl, $z) } + none < + old[preWhile3](perm(Bag_atomicity_context_fp($r, $lvl, $z))) ==> + Bag_atomicity_context_hf($r, $lvl, $z) == + old[preWhile3](Bag_atomicity_context_hf($r, $lvl, $z))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_atomicity_context_fp($r, + $lvl, $x), old[preWhile3](perm(BagList_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BagList_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile3](perm(BagList_atomicity_context_fp($r, $lvl, $x))) ==> + BagList_atomicity_context_hf($r, $lvl, $x) == + old[preWhile3](BagList_atomicity_context_hf($r, $lvl, $x))) + assert acc(Bag(r, lvl, z), write) + + // ------- Stabilising regions Bag (infer context for open-region) BEGIN + + label pre_stabilize16 + + // Stabilising single instance of region Bag + quasihavoc Bag_interferenceContext_fp(r, lvl, z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(14, r, lvl, z)) } + ($$_m in Bag_interferenceSet_hf(14, r, lvl, z)) == + ((none < perm(r.$diamond) && + none < perm(Bag_atomicity_context_fp(r, lvl, z)) ==> + ($$_m in Bag_atomicity_context_hf(r, lvl, z))) && + ($$_m == old[pre_stabilize16](Bag_state(r, lvl, z)) || + Bag_sk_$_action_p(r, lvl, z) == + old[pre_stabilize16](Bag_state(r, lvl, z)) && + Bag_sk_$_action_q(r, lvl, z) == $$_m && + true && + true))) + quasihavoc Bag(r, lvl, z) + inhale (Bag_state(r, lvl, z) in + Bag_interferenceSet_hf(14, r, lvl, z)) + + // havoc performed by other front resource + + inhale Bag_interferenceReference_hf(14, r, lvl, z) == + old[pre_stabilize16](Bag_state(r, lvl, z)) + + // ------- Stabilising regions Bag (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region4 + assert $_levelVar_23 > lvl + $_levelVar_24 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre7 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(14, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre7](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + t := z.$entry_$next + + // ------- heap-read END ----------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && z.$entry_$next == t && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + jr$ := z.$entry_$_nextId + jl$ := z.$entry_$_nextLvl + + // ------- assert END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(BagList(jr$, jl$, t), write) && (jl$ >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(BagList(jr$, jl$, t), write) && (jl$ >= 0 && true) + + // ------- inhale END -------------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region4](Bag_state(r, lvl, z)) + $_levelVar_25 := $_levelVar_23 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@133.7) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(15, $r, $lvl, $z)) } + none < old[pre_stabilize17](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(15, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize17](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize17](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize17](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(15, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize17](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(15, $r, $lvl, $z) == + old[pre_stabilize17](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(15, $r, $lvl, $x)) } + none < old[pre_stabilize17](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(15, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize17](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize17](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(15, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(15, $r, $lvl, $x) == + old[pre_stabilize17](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@133.7) END + + + // ------- if-then-else BEGIN ------ + + if (!(t == null)) { + assert acc(BagList(jr$, jl$, t), write) + + // ------- Stabilising regions BagList (infer context for open-region) BEGIN + + label pre_stabilize18 + + // Stabilising single instance of region BagList + quasihavoc BagList_interferenceContext_fp(jr$, jl$, t) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(16, jr$, jl$, t)) } + ($$_m in BagList_interferenceSet_hf(16, jr$, jl$, t)) == + ((none < perm(jr$.$diamond) && + none < perm(BagList_atomicity_context_fp(jr$, jl$, t)) ==> + ($$_m in BagList_atomicity_context_hf(jr$, jl$, t))) && + ($$_m == old[pre_stabilize18](BagList_state(jr$, jl$, t)) || + BagList_sk_$_action_p(jr$, jl$, t) == + old[pre_stabilize18](BagList_state(jr$, jl$, t)) && + BagList_sk_$_action_q(jr$, jl$, t) == $$_m && + true && + perm(BagList_G(jr$)) == none))) + quasihavoc BagList(jr$, jl$, t) + inhale (BagList_state(jr$, jl$, t) in + BagList_interferenceSet_hf(16, jr$, jl$, t)) + + // havoc performed by other front resource + + inhale BagList_interferenceReference_hf(16, jr$, jl$, t) == + old[pre_stabilize18](BagList_state(jr$, jl$, t)) + + // ------- Stabilising regions BagList (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region5 + assert $_levelVar_25 > jl$ + $_levelVar_26 := jl$ + unfold acc(BagList(jr$, jl$, t), write) + label transitionPre8 + quasihavoc BagList_interferenceContext_fp(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale !(t == null) ==> + BagList_interferenceReference_hf(16, t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) == + old[transitionPre8](BagList_state(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next)) + + // ------- heap-read BEGIN --------- + + tn := t.$link_$next + + // ------- heap-read END ----------- + + fold acc(BagList(jr$, jl$, t), write) + assert BagList_state(jr$, jl$, t) == + old[pre_open_region5](BagList_state(jr$, jl$, t)) + $_levelVar_27 := $_levelVar_25 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@144.9) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(17, $r, $lvl, $z)) } + none < old[pre_stabilize19](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(17, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize19](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize19](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize19](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(17, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize19](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(17, $r, $lvl, $z) == + old[pre_stabilize19](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(17, $r, $lvl, $x)) } + none < old[pre_stabilize19](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(17, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize19](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize19](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, + $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(17, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(17, $r, $lvl, $x) == + old[pre_stabilize19](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@144.9) END + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList(jr$, jl$, t), write) && (jl$ >= 0 && true) + + // ------- exhale END -------------- + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update3 + assert $_levelVar_27 > lvl + $_levelVar_28 := lvl + exhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre9 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(17, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre9](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u$ := z.$entry_$next + ur$ := z.$entry_$_nextId + ul$ := z.$entry_$_nextLvl + u_state$ := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call3 + assert $_levelVar_28 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call3](z.$entry_$next) == t ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == tn) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call3](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- unfold BEGIN ------------ + + assert ul$ >= 0 && true + unfold acc(BagList(ur$, ul$, t), write) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) BEGIN + + label pre_infer + + // Inferring interference all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(18, $r, $lvl, $z)) } + none < old[pre_infer](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(18, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_infer](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_infer](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_infer](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(18, $r, $lvl, $z) == + old[pre_infer](Bag_state($r, $lvl, $z))) + + // Inferring interference all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(18, $r, $lvl, $x)) } + none < old[pre_infer](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(18, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_infer](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_infer](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(18, $r, $lvl, $x) == + old[pre_infer](BagList_state($r, $lvl, $x))) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) END + + + // ------- unfold END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList_G(ur$), write) + + // ------- exhale END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$next, write) && true && + (acc(t.$link_$_nextId, write) && true && + (acc(t.$link_$_nextLvl, write) && true) && + (acc(t.$link_$_nextState, write) && true)) + n$ := t.$link_$next + nr$ := t.$link_$_nextId + nl$ := t.$link_$_nextLvl + n_state$ := t.$link_$_nextState + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale n$ == tn + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, nr$, nl$) + + // ------- apply END --------------- + + + // ------- havoc BEGIN ------------- + + x_state := havoc_Seq_Int_() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale x_state == n_state$ + + // ------- assume END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$val, write) && true + e$ := t.$link_$val + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + vi := havoc_Int() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale vi == e$ + + // ------- assume END -------------- + + assert $_levelVar_28 == $_levelVar_28 + } + $_levelVar_29 := $_levelVar_28 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + if (Bag_state(r, lvl, z) != + old[pre_region_update3](Bag_state(r, lvl, z))) { + inhale acc(r.$stepFrom_seq_int_, write) && + acc(r.$stepTo_seq_int_, write) + r.$stepFrom_seq_int_ := old[pre_region_update3](Bag_state(r, lvl, + z)) + r.$stepTo_seq_int_ := Bag_state(r, lvl, z) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + inhale Bag_atomicity_context_hf(r, lvl, z) == + old[pre_region_update3](Bag_atomicity_context_hf(r, lvl, z)) + $_levelVar_30 := $_levelVar_27 + + // ------- update-region END ------- + + + // ------- Stabilising regions Bag,BagList (after update-region@150.9) BEGIN + + label pre_stabilize20 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(19, $r, $lvl, $z)) } + none < old[pre_stabilize20](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(19, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize20](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize20](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize20](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(19, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize20](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(19, $r, $lvl, $z) == + old[pre_stabilize20](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(19, $r, $lvl, $x)) } + none < old[pre_stabilize20](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(19, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize20](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize20](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, + $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize20](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(19, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize20](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(19, $r, $lvl, $x) == + old[pre_stabilize20](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after update-region@150.9) END + + assert $_levelVar_30 == $_levelVar_25 + } + $_levelVar_31 := $_levelVar_25 + + // ------- if-then-else END -------- + + assert $_levelVar_31 == $_levelVar_23 + } + $_levelVar_32 := $_levelVar_23 + + // ------- while END --------------- + + + // ------- heap-read BEGIN --------- + + v := t.$link_$val + + // ------- heap-read END ----------- + + + // ------- Stabilising regions Bag,BagList (after heap-read@178.5) BEGIN + + label pre_stabilize21 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(20, $r, $lvl, $z)) } + none < old[pre_stabilize21](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(20, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize21](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize21](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize21](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(20, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize21](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(20, $r, $lvl, $z) == + old[pre_stabilize21](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(20, $r, $lvl, $x)) } + none < old[pre_stabilize21](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(20, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize21](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize21](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(20, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(20, $r, $lvl, $x) == + old[pre_stabilize21](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-read@178.5) END + + + // ------- Havocking regions Bag (after atomic) BEGIN + + label pre_havoc + + // Havocking single instance of region Bag + quasihavocall $r: Ref, $lvl: Int, $z: Ref :: Bag($r, $lvl, $z) + + // ------- Havocking regions Bag (after atomic) END + + assert (r.$stepFrom_seq_int_ in Bag_atomicity_context_hf(r, lvl, z)) + assert true + inhale Bag_state(r, lvl, z) == r.$stepTo_seq_int_ + inhale old(Bag_state(r, lvl, z)) == r.$stepFrom_seq_int_ + inhale acc(Bag_Z(r), write) + exhale acc(r.$stepFrom_seq_int_, write) && + acc(r.$stepTo_seq_int_, write) + assert $_levelVar_32 == $_levelVar_14 + loopVar := false + } + $_levelVar_33 := $_levelVar_14 + exhale acc(Bag_atomicity_context_fp(r, lvl, z), write) + + // ------- make-atomic END --------- + +} + +method updateEntryGhost(x: Ref, c: Ref, l: Int) + requires acc(x.$entry_$next, write) && true && + (acc(BagList(c, l, x.$entry_$next), write) && (l >= 0 && true)) && + (acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true)) + ensures acc(x.$entry_$next, write) && + x.$entry_$next == old(x.$entry_$next) && + (acc(BagList(c, l, old(x.$entry_$next)), write) && + (l >= 0 && + BagList_state(c, l, old(x.$entry_$next)) == + old(BagList_state(c, l, x.$entry_$next)))) && + (acc(x.$entry_$_nextId, write) && x.$entry_$_nextId == c && + (acc(x.$entry_$_nextLvl, write) && x.$entry_$_nextLvl == l) && + (acc(x.$entry_$_nextState, write) && + x.$entry_$_nextState == old(BagList_state(c, l, x.$entry_$next)))) +{ + var hr: Ref + var hl: Int + var h_state: Seq[Int] + var $_levelVar_34: Int + inhale $_levelVar_34 >= 0 && $_levelVar_34 > l + assert $_levelVar_34 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- exhale BEGIN ------------ + + exhale acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true) + hr := x.$entry_$_nextId + hl := x.$entry_$_nextLvl + h_state := x.$entry_$_nextState + + // ------- inhale END -------------- + + + // ------- assume BEGIN ------------ + + inhale hr == c && hl == l && + h_state == old(BagList_state(c, l, x.$entry_$next)) + + // ------- assume END -------------- + +} + +method updateLinkGhost(x: Ref, c: Ref, l: Int) + requires acc(x.$link_$next, write) && true && + (acc(BagList(c, l, x.$link_$next), write) && (l >= 0 && true)) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) + ensures acc(x.$link_$next, write) && x.$link_$next == old(x.$link_$next) && + (acc(BagList(c, l, old(x.$link_$next)), write) && + (l >= 0 && + BagList_state(c, l, old(x.$link_$next)) == + old(BagList_state(c, l, x.$link_$next)))) && + (acc(x.$link_$_nextId, write) && x.$link_$_nextId == c && + (acc(x.$link_$_nextLvl, write) && x.$link_$_nextLvl == l) && + (acc(x.$link_$_nextState, write) && + x.$link_$_nextState == old(BagList_state(c, l, x.$link_$next)))) +{ + var hr: Ref + var hl: Int + var h_state: Seq[Int] + var $_levelVar_35: Int + inhale $_levelVar_35 >= 0 && $_levelVar_35 > l + assert $_levelVar_35 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- exhale BEGIN ------------ + + exhale acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true) + hr := x.$link_$_nextId + hl := x.$link_$_nextLvl + h_state := x.$link_$_nextState + + // ------- inhale END -------------- + + + // ------- assume BEGIN ------------ + + inhale hr == c && hl == l && + h_state == old(BagList_state(c, l, x.$link_$next)) + + // ------- assume END -------------- + +} + +method createBagList(r: Ref, lvl: Int, x: Ref, c: Ref, l: Int, vs: Seq[Int]) + requires acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) && + (!(x == null) ? + acc(BagList(c, l, x.$link_$next), write) && + (l >= 0 && BagList_state(c, l, x.$link_$next) == vs) && + acc(BagList_G(c), write) && + l < lvl : + true) + ensures acc(BagList(r, lvl, x), write) && + (lvl >= 0 && BagList_state(r, lvl, x) == Seq(old(x.$link_$val)) ++ vs) && + acc(BagList_G(r), write) +{ + var $_levelVar_36: Int + var $_levelVar_37: Int + inhale $_levelVar_36 >= 0 && $_levelVar_36 > l + assert $_levelVar_36 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(BagList_G(r), write) + + // ------- inhale END -------------- + + + // ------- if-then-else BEGIN ------ + + if (!(x == null)) { + + // ------- apply BEGIN ------------- + + updateLinkGhost(x, c, l) + + // ------- apply END --------------- + + assert $_levelVar_36 == $_levelVar_36 + } + $_levelVar_37 := $_levelVar_36 + + // ------- if-then-else END -------- + + + // ------- fold BEGIN -------------- + + fold acc(BagList(r, lvl, x), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method CAS_entry(x: Ref, now: Ref, thn: Ref) returns (ret: Bool) + requires acc(x.$entry_$next, write) && true + ensures (old(x.$entry_$next) == now ? + ret && (acc(x.$entry_$next, write) && x.$entry_$next == thn) : + !ret && + (acc(x.$entry_$next, write) && x.$entry_$next == old(x.$entry_$next))) + + +method $_Bag_interpretation_stability_check(r: Ref, lvl: Int, z: Ref) +{ + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) && + (acc(BagList(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next), write) && + (z.$entry_$_nextLvl >= 0 && + BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next) == + z.$entry_$_nextState)) && + acc(BagList_G(z.$entry_$_nextId), write) && + z.$entry_$_nextLvl < lvl + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) BEGIN + + label pre_stabilize22 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize22](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize22](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize22](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize22](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize22](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize22](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) END + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) && + (acc(BagList(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next), write) && + (z.$entry_$_nextLvl >= 0 && + BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next) == + z.$entry_$_nextState)) && + acc(BagList_G(z.$entry_$_nextId), write) && + z.$entry_$_nextLvl < lvl +} + +method $_Bag_action_transitivity_check() +{ + var Z: Bool + var $_action_p_0_x: Seq[Int] + var $_action_q_0_x: Seq[Int] + var $_action_p_0_y: Seq[Int] + var $_action_q_0_y: Seq[Int] + var aState: Seq[Int] + var bState: Seq[Int] + var cState: Seq[Int] + inhale aState == bState || + $_action_p_0_x == aState && $_action_q_0_x == bState && true && Z + inhale bState == cState || + $_action_p_0_y == bState && $_action_q_0_y == cState && true && Z + assert aState == cState || + aState == aState && cState == cState && true && Z +} + +method $_BagList_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true))) && + (!(x == null) ? + acc(BagList(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next), write) && + (x.$link_$_nextLvl >= 0 && + BagList_state(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next) == + x.$link_$_nextState) && + acc(BagList_G(x.$link_$_nextId), write) && + x.$link_$_nextLvl < lvl : + true) + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) BEGIN + + label pre_stabilize23 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize23](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize23](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize23](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize23](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize23](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize23](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) END + + assert acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true))) && + (!(x == null) ? + acc(BagList(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next), write) && + (x.$link_$_nextLvl >= 0 && + BagList_state(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next) == + x.$link_$_nextState) && + acc(BagList_G(x.$link_$_nextId), write) && + x.$link_$_nextLvl < lvl : + true) +} + +method $_BagList_action_transitivity_check() +{ + var G: Bool + var $_action_p_0_x: Seq[Int] + var $_action_q_0_x: Seq[Int] + var $_action_p_0_y: Seq[Int] + var $_action_q_0_y: Seq[Int] + var aState: Seq[Int] + var bState: Seq[Int] + var cState: Seq[Int] + inhale aState == bState || + $_action_p_0_x == aState && $_action_q_0_x == bState && true && G + inhale bState == cState || + $_action_p_0_y == bState && $_action_q_0_y == cState && true && G + assert aState == cState || + aState == aState && cState == cState && true && G +} + +method $_push_condition_stability_precondition_check(r: Ref, lvl: Int, z: Ref, + n: Int) + requires acc(Bag(r, lvl, z), write) && + (lvl >= 0 && Bag_state(r, lvl, z) == Bag_state(r, lvl, z)) && + acc(Bag_Z(r), write) +{ + var $_levelVar_39: Int + var x: Ref + var y: Ref + var y_state: Seq[Int] + var b: Bool + var c: Ref + var l: Int + inhale $_levelVar_39 >= 0 && $_levelVar_39 > lvl + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Bag_interferenceSet_hf(20, r, lvl, z) == comprehension_113_220() + inhale Bag_interferenceReference_hf(20, r, lvl, z) == + old(Bag_state(r, lvl, z)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize24 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize24](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize24](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize24](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize24](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize24](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize24](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(Bag(r, lvl, z), write) && + (lvl >= 0 && Bag_state(r, lvl, z) == Bag_state(r, lvl, z)) && + acc(Bag_Z(r), write) +} + +method $_pop_condition_stability_precondition_check(r: Ref, lvl: Int, z: Ref, + v: Int) + requires acc(Bag(r, lvl, z), write) && + (lvl >= 0 && Bag_state(r, lvl, z) == Bag_state(r, lvl, z)) && + acc(Bag_Z(r), write) +{ + var $_levelVar_40: Int + var t: Ref + var tn: Ref + var b: Bool + var x_state: Seq[Int] + var vi: Int + inhale $_levelVar_40 >= 0 && $_levelVar_40 > lvl + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Bag_interferenceSet_hf(20, r, lvl, z) == comprehension_113_220() + inhale Bag_interferenceReference_hf(20, r, lvl, z) == + old(Bag_state(r, lvl, z)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize25 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize25](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize25](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize25](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize25](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize25](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize25](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(Bag(r, lvl, z), write) && + (lvl >= 0 && Bag_state(r, lvl, z) == Bag_state(r, lvl, z)) && + acc(Bag_Z(r), write) +} + +method $_updateEntryGhost_condition_stability_precondition_check(x: Ref, c: Ref, + l: Int) + requires acc(x.$entry_$next, write) && true && + (acc(BagList(c, l, x.$entry_$next), write) && (l >= 0 && true)) && + (acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true)) +{ + var $_levelVar_41: Int + inhale $_levelVar_41 >= 0 && $_levelVar_41 > l + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize26 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize26](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize26](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize26](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize26](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize26](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize26](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(x.$entry_$next, write) && true && + (acc(BagList(c, l, x.$entry_$next), write) && (l >= 0 && true)) && + (acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true)) +} + +method $_updateLinkGhost_condition_stability_precondition_check(x: Ref, c: Ref, + l: Int) + requires acc(x.$link_$next, write) && true && + (acc(BagList(c, l, x.$link_$next), write) && (l >= 0 && true)) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) +{ + var $_levelVar_42: Int + inhale $_levelVar_42 >= 0 && $_levelVar_42 > l + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize27 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize27](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize27](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize27](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize27](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize27](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize27](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(x.$link_$next, write) && true && + (acc(BagList(c, l, x.$link_$next), write) && (l >= 0 && true)) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) +} + +method $_createBagList_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref, c: Ref, l: Int, vs: Seq[Int]) + requires acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) && + (!(x == null) ? + acc(BagList(c, l, x.$link_$next), write) && + (l >= 0 && BagList_state(c, l, x.$link_$next) == vs) && + acc(BagList_G(c), write) && + l < lvl : + true) +{ + var $_levelVar_43: Int + inhale $_levelVar_43 >= 0 && $_levelVar_43 > l + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize28 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize28](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize28](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize28](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize28](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize28](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize28](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) && + (!(x == null) ? + acc(BagList(c, l, x.$link_$next), write) && + (l >= 0 && BagList_state(c, l, x.$link_$next) == vs) && + acc(BagList_G(c), write) && + l < lvl : + true) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BoundedCounter-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BoundedCounter-I.vl.vpr new file mode 100644 index 00000000..9eb775d0 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/BoundedCounter-I.vl.vpr @@ -0,0 +1,1211 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function BCounter_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function BCounter_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function BCounter_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function BCounter_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function BCounter_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(BCounter_atomicity_context_fp(r, lvl, x), write) + ensures [BCounter_atomicity_context_df(r, lvl, x), true] + + +function BCounter_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(BCounter_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in BCounter_interferenceSet_df($p0, r, lvl, x))), + true] + + +function BCounter_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter_interferenceContext_fp(r, lvl, x), write) + ensures [BCounter_interferenceReference_df($p0, r, lvl, x), true] + + +function BCounter_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter_sk_fp(), write) + + +function BCounter_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter_sk_fp(), write) + + +function BCounter_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter(r, lvl, x), write) + ensures [BCounter_state_T(r, lvl, x), true] +{ + (unfolding acc(BCounter(r, lvl, x), write) in x.$memcell_$f) +} + +predicate BCounter_INCREMENT($r: Ref) + +predicate BCounter_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate BCounter_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate BCounter_sk_fp() + +predicate BCounter(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1 || x.$memcell_$f == 2) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_BCounter() + + +method ___silicon_hack407_havoc_all_BCounter_interferenceContext_fp() + + +method makeBCounter(r: Ref, lvl: Int) returns (ret: Ref) + requires lvl >= 0 + ensures acc(BCounter(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(BCounter_INCREMENT(r), write) +{ + var v: Ref + var w: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(v.$memcell_$f, write) && true + w := v.$memcell_$f + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + v.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions BCounter (after heap-write@18.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after heap-write@18.3) END + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(BCounter_INCREMENT(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(BCounter(r, lvl, ret), write) + assert lvl >= 0 && BCounter_state(r, lvl, ret) == 0 + + // ------- fold END ---------------- + +} + +method incr(c: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(BCounter(c, lvl, x), write) && + (lvl >= 0 && BCounter_state(c, lvl, x) == BCounter_state(c, lvl, x)) && + acc(BCounter_INCREMENT(c), write) + requires (BCounter_state(c, lvl, x) in IntSet()) + ensures acc(BCounter(c, lvl, x), write) && (lvl >= 0 && true) && + acc(BCounter_INCREMENT(c), write) + ensures ret == old(BCounter_state(c, lvl, x)) && + (old(BCounter_state(c, lvl, x)) < 2 ? + BCounter_state(c, lvl, x) == old(BCounter_state(c, lvl, x)) + 1 : + BCounter_state(c, lvl, x) == 0) +{ + var v: Int + var w: Int + var b: Bool + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + var $_levelVar_16: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale BCounter_interferenceSet_hf(1, c, lvl, x) == IntSet() + inhale BCounter_interferenceReference_hf(1, c, lvl, x) == + old(BCounter_state(c, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(BCounter_INCREMENT(c), write) + exhale acc(BCounter(c, lvl, x), write) + + // ------- Stabilising regions BCounter (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions BCounter (stabilizing frame before make-atomic) END + + $_levelVar_2 := lvl + assert perm(BCounter_atomicity_context_fp(c, lvl, x)) == none + inhale acc(BCounter_atomicity_context_fp(c, lvl, x), write) + inhale BCounter_atomicity_context_hf(c, lvl, x) == + BCounter_interferenceSet_hf(1, c, lvl, x) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(BCounter(c, lvl, x), write) && (lvl >= 0 && true) && + acc(BCounter_INCREMENT(c), write) + invariant !loopVar0 ==> + ret == old(BCounter_state(c, lvl, x)) && + (old(BCounter_state(c, lvl, x)) < 2 ? + BCounter_state(c, lvl, x) == old(BCounter_state(c, lvl, x)) + 1 : + BCounter_state(c, lvl, x) == 0) + { + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(BCounter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BCounter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(BCounter_atomicity_context_fp($r, $lvl, $x))) ==> + BCounter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](BCounter_atomicity_context_hf($r, $lvl, $x))) + inhale acc(BCounter(c, lvl, x), write) + inhale acc(c.$diamond, write) + + // ------- Stabilising regions BCounter (before atomic) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region BCounter + quasihavoc BCounter(c, lvl, x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (none < perm(c.$diamond) && + none < perm(BCounter_atomicity_context_fp(c, lvl, x)) ==> + (BCounter_state(c, lvl, x) in + BCounter_atomicity_context_hf(c, lvl, x))) && + (BCounter_state(c, lvl, x) == + old[pre_stabilize2](BCounter_state(c, lvl, x)) || + BCounter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize2](BCounter_state(c, lvl, x)) && + BCounter_sk_$_action_m(c, lvl, x) == BCounter_state(c, lvl, x) && + true && + true) + + // ------- Stabilising regions BCounter (before atomic) END + + assert acc(BCounter(c, lvl, x), write) + + // ------- Stabilising regions BCounter (infer context for open-region) BEGIN + + label pre_stabilize3 + + // Stabilising single instance of region BCounter + quasihavoc BCounter_interferenceContext_fp(c, lvl, x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(2, c, lvl, x)) } + ($$_m in BCounter_interferenceSet_hf(2, c, lvl, x)) == + ((none < perm(c.$diamond) && + none < perm(BCounter_atomicity_context_fp(c, lvl, x)) ==> + ($$_m in BCounter_atomicity_context_hf(c, lvl, x))) && + ($$_m == old[pre_stabilize3](BCounter_state(c, lvl, x)) || + BCounter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize3](BCounter_state(c, lvl, x)) && + BCounter_sk_$_action_m(c, lvl, x) == $$_m && + true && + true))) + quasihavoc BCounter(c, lvl, x) + inhale (BCounter_state(c, lvl, x) in + BCounter_interferenceSet_hf(2, c, lvl, x)) + + // havoc performed by other front resource + + inhale BCounter_interferenceReference_hf(2, c, lvl, x) == + old[pre_stabilize3](BCounter_state(c, lvl, x)) + + // ------- Stabilising regions BCounter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > lvl + $_levelVar_3 := lvl + unfold acc(BCounter(c, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(BCounter(c, lvl, x), write) + assert BCounter_state(c, lvl, x) == + old[pre_open_region0](BCounter_state(c, lvl, x)) + $_levelVar_4 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions BCounter (after open-region@46.7) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize4](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after open-region@46.7) END + + + // ------- if-then-else BEGIN ------ + + if (v < 2) { + + // ------- assign BEGIN ------------ + + w := v + 1 + + // ------- assign END -------------- + + assert $_levelVar_4 == $_levelVar_4 + } else { + $_levelVar_5 := $_levelVar_4 + + // ------- assign BEGIN ------------ + + w := 0 + + // ------- assign END -------------- + + assert $_levelVar_5 == $_levelVar_4 + } + $_levelVar_6 := $_levelVar_4 + + // ------- if-then-else END -------- + + + // ------- update-region BEGIN ----- + + exhale acc(c.$diamond, write) + label pre_region_update0 + assert $_levelVar_6 > lvl + $_levelVar_7 := lvl + exhale acc(BCounter_atomicity_context_fp(c, lvl, x), write) + unfold acc(BCounter(c, lvl, x), write) + + // no interference context translation needed + + exhale acc(BCounter(c, lvl, x), perm(BCounter(c, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_7 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$f) == v ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == w) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call0](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(BCounter(c, lvl, x), write) + if (BCounter_state(c, lvl, x) != + old[pre_region_update0](BCounter_state(c, lvl, x))) { + inhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + c.$stepFrom_int := old[pre_region_update0](BCounter_state(c, lvl, x)) + c.$stepTo_int := BCounter_state(c, lvl, x) + } else { + inhale acc(c.$diamond, write) + } + inhale acc(BCounter_atomicity_context_fp(c, lvl, x), write) + inhale BCounter_atomicity_context_hf(c, lvl, x) == + old[pre_region_update0](BCounter_atomicity_context_hf(c, lvl, x)) + $_levelVar_8 := $_levelVar_6 + + // ------- update-region END ------- + + + // ------- Stabilising regions BCounter (after update-region@56.7) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize5](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after update-region@56.7) END + + + // ------- while BEGIN ------------- + + label preWhile + while (!b) + invariant acc(BCounter(c, lvl, x), write) && (lvl >= 0 && true) + invariant (!b ? acc(c.$diamond, write) : true) + invariant (b ? + acc(c.$stepFrom_int, write) && c.$stepFrom_int == v && + (acc(c.$stepTo_int, write) && c.$stepTo_int == w) : + true) + invariant (v < 2 ? w == v + 1 : w == 0) + { + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(BCounter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BCounter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(BCounter_atomicity_context_fp($r, $lvl, $x))) ==> + BCounter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](BCounter_atomicity_context_hf($r, $lvl, $x))) + assert acc(BCounter(c, lvl, x), write) + + // ------- Stabilising regions BCounter (infer context for open-region) BEGIN + + label pre_stabilize6 + + // Stabilising single instance of region BCounter + quasihavoc BCounter_interferenceContext_fp(c, lvl, x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(5, c, lvl, x)) } + ($$_m in BCounter_interferenceSet_hf(5, c, lvl, x)) == + ((none < perm(c.$diamond) && + none < perm(BCounter_atomicity_context_fp(c, lvl, x)) ==> + ($$_m in BCounter_atomicity_context_hf(c, lvl, x))) && + ($$_m == old[pre_stabilize6](BCounter_state(c, lvl, x)) || + BCounter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize6](BCounter_state(c, lvl, x)) && + BCounter_sk_$_action_m(c, lvl, x) == $$_m && + true && + true))) + quasihavoc BCounter(c, lvl, x) + inhale (BCounter_state(c, lvl, x) in + BCounter_interferenceSet_hf(5, c, lvl, x)) + + // havoc performed by other front resource + + inhale BCounter_interferenceReference_hf(5, c, lvl, x) == + old[pre_stabilize6](BCounter_state(c, lvl, x)) + + // ------- Stabilising regions BCounter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_8 > lvl + $_levelVar_9 := lvl + unfold acc(BCounter(c, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(BCounter(c, lvl, x), write) + assert BCounter_state(c, lvl, x) == + old[pre_open_region](BCounter_state(c, lvl, x)) + $_levelVar_10 := $_levelVar_8 + + // ------- open-region END --------- + + + // ------- Stabilising regions BCounter (after open-region@46.7) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize7](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after open-region@46.7) END + + + // ------- if-then-else BEGIN ------ + + if (v < 2) { + + // ------- assign BEGIN ------------ + + w := v + 1 + + // ------- assign END -------------- + + assert $_levelVar_10 == $_levelVar_10 + } else { + $_levelVar_11 := $_levelVar_10 + + // ------- assign BEGIN ------------ + + w := 0 + + // ------- assign END -------------- + + assert $_levelVar_11 == $_levelVar_10 + } + $_levelVar_12 := $_levelVar_10 + + // ------- if-then-else END -------- + + + // ------- update-region BEGIN ----- + + exhale acc(c.$diamond, write) + label pre_region_update + assert $_levelVar_12 > lvl + $_levelVar_13 := lvl + exhale acc(BCounter_atomicity_context_fp(c, lvl, x), write) + unfold acc(BCounter(c, lvl, x), write) + + // no interference context translation needed + + exhale acc(BCounter(c, lvl, x), perm(BCounter(c, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_13 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$f) == v ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == w) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(BCounter(c, lvl, x), write) + if (BCounter_state(c, lvl, x) != + old[pre_region_update](BCounter_state(c, lvl, x))) { + inhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + c.$stepFrom_int := old[pre_region_update](BCounter_state(c, lvl, x)) + c.$stepTo_int := BCounter_state(c, lvl, x) + } else { + inhale acc(c.$diamond, write) + } + inhale acc(BCounter_atomicity_context_fp(c, lvl, x), write) + inhale BCounter_atomicity_context_hf(c, lvl, x) == + old[pre_region_update](BCounter_atomicity_context_hf(c, lvl, x)) + $_levelVar_14 := $_levelVar_12 + + // ------- update-region END ------- + + + // ------- Stabilising regions BCounter (after update-region@56.7) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize8](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after update-region@56.7) END + + assert $_levelVar_14 == $_levelVar_8 + } + $_levelVar_15 := $_levelVar_8 + + // ------- while END --------------- + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- Havocking regions BCounter (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region BCounter + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: BCounter($r, $lvl, $x) + + // ------- Havocking regions BCounter (after atomic) END + + assert (c.$stepFrom_int in BCounter_atomicity_context_hf(c, lvl, x)) + assert true + inhale BCounter_state(c, lvl, x) == c.$stepTo_int + inhale old(BCounter_state(c, lvl, x)) == c.$stepFrom_int + inhale acc(BCounter_INCREMENT(c), write) + exhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + assert $_levelVar_15 == $_levelVar_1 + loopVar0 := false + } + $_levelVar_16 := $_levelVar_1 + exhale acc(BCounter_atomicity_context_fp(c, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method read(c: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(BCounter(c, lvl, x), write) && + (lvl >= 0 && BCounter_state(c, lvl, x) == BCounter_state(c, lvl, x)) && + acc(BCounter_INCREMENT(c), write) + requires (BCounter_state(c, lvl, x) in IntSet()) + ensures acc(BCounter(c, lvl, x), write) && + (lvl >= 0 && + BCounter_state(c, lvl, x) == old(BCounter_state(c, lvl, x))) && + acc(BCounter_INCREMENT(c), write) + ensures ret == old(BCounter_state(c, lvl, x)) +{ + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + inhale $_levelVar_17 >= 0 && $_levelVar_17 > lvl + assert $_levelVar_17 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale BCounter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale BCounter_interferenceReference_hf(7, c, lvl, x) == + old(BCounter_state(c, lvl, x)) + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_17 > lvl + $_levelVar_18 := lvl + unfold acc(BCounter(c, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(BCounter(c, lvl, x), write) + assert BCounter_state(c, lvl, x) == + old[pre_open_region2](BCounter_state(c, lvl, x)) + $_levelVar_19 := $_levelVar_17 + + // ------- open-region END --------- + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$f, write) && true + ensures (old(x.$memcell_$f) == now ? + ret && (acc(x.$memcell_$f, write) && x.$memcell_$f == thn) : + !ret && + (acc(x.$memcell_$f, write) && x.$memcell_$f == old(x.$memcell_$f))) + + +method $_BCounter_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1 || x.$memcell_$f == 2) + + // ------- Stabilising regions BCounter (check stability of region interpretation) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize9](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions BCounter (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1 || x.$memcell_$f == 2) +} + +method $_BCounter_action_transitivity_check() +{ + var INCREMENT: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && true && + INCREMENT + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && true && + INCREMENT + assert aState == cState || + aState == aState && cState == cState && true && INCREMENT +} + +method $_makeBCounter_condition_stability_precondition_check(r: Ref, lvl: Int, + ret: Ref) + requires lvl >= 0 +{ + var $_levelVar_21: Int + var v: Ref + inhale $_levelVar_21 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions BCounter (check stability of method condition) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize10](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize10](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions BCounter (check stability of method condition) END + + assert lvl >= 0 +} + +method $_incr_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(BCounter(c, lvl, x), write) && + (lvl >= 0 && BCounter_state(c, lvl, x) == BCounter_state(c, lvl, x)) && + acc(BCounter_INCREMENT(c), write) +{ + var $_levelVar_22: Int + var v: Int + var w: Int + var b: Bool + inhale $_levelVar_22 >= 0 && $_levelVar_22 > lvl + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale BCounter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale BCounter_interferenceReference_hf(7, c, lvl, x) == + old(BCounter_state(c, lvl, x)) + + // ------- Stabilising regions BCounter (check stability of method condition) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize11](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions BCounter (check stability of method condition) END + + assert acc(BCounter(c, lvl, x), write) && + (lvl >= 0 && BCounter_state(c, lvl, x) == BCounter_state(c, lvl, x)) && + acc(BCounter_INCREMENT(c), write) +} + +method $_read_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(BCounter(c, lvl, x), write) && + (lvl >= 0 && BCounter_state(c, lvl, x) == BCounter_state(c, lvl, x)) && + acc(BCounter_INCREMENT(c), write) +{ + var $_levelVar_23: Int + inhale $_levelVar_23 >= 0 && $_levelVar_23 > lvl + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale BCounter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale BCounter_interferenceReference_hf(7, c, lvl, x) == + old(BCounter_state(c, lvl, x)) + + // ------- Stabilising regions BCounter (check stability of method condition) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize12](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions BCounter (check stability of method condition) END + + assert acc(BCounter(c, lvl, x), write) && + (lvl >= 0 && BCounter_state(c, lvl, x) == BCounter_state(c, lvl, x)) && + acc(BCounter_INCREMENT(c), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/CASCounter-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/CASCounter-I.vl.vpr new file mode 100644 index 00000000..7105fb17 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/CASCounter-I.vl.vpr @@ -0,0 +1,1536 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Counter_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function Counter_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Counter_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function Counter_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function Counter_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_atomicity_context_fp(r, lvl, x), write) + ensures [Counter_atomicity_context_df(r, lvl, x), true] + + +function Counter_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Counter_interferenceSet_df($p0, r, lvl, x))), + true] + + +function Counter_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_interferenceContext_fp(r, lvl, x), write) + ensures [Counter_interferenceReference_df($p0, r, lvl, x), true] + + +function Counter_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter(r, lvl, x), write) + ensures [Counter_state_T(r, lvl, x), true] +{ + (unfolding acc(Counter(r, lvl, x), write) in x.$memcell_$f) +} + +predicate Counter_INCREMENT($r: Ref) + +predicate Counter_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate Counter_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate Counter_sk_fp() + +predicate Counter(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_Counter() + + +method ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() + + +method makeCounter(r: Ref, lvl: Int) returns (ret: Ref) + requires lvl >= 0 + ensures acc(Counter(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) +{ + var v: Ref + var w: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(v.$memcell_$f, write) && true + w := v.$memcell_$f + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + v.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Counter (after heap-write@22.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after heap-write@22.3) END + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Counter_INCREMENT(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Counter(r, lvl, ret), write) + assert lvl >= 0 && Counter_state(r, lvl, ret) == 0 + + // ------- fold END ---------------- + +} + +method incr(c: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) + requires (Counter_state(c, lvl, x) in IntSet()) + ensures acc(Counter(c, lvl, x), write) && + (lvl >= 0 && + Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x)) + 1) && + acc(Counter_INCREMENT(c), write) + ensures ret == old(Counter_state(c, lvl, x)) +{ + var r: Int + var b: Bool + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(1, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(1, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(Counter_INCREMENT(c), write) + exhale acc(Counter(c, lvl, x), write) + + // ------- Stabilising regions Counter (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (stabilizing frame before make-atomic) END + + $_levelVar_2 := lvl + assert perm(Counter_atomicity_context_fp(c, lvl, x)) == none + inhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + inhale Counter_atomicity_context_hf(c, lvl, x) == + Counter_interferenceSet_hf(1, c, lvl, x) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(Counter(c, lvl, x), write) && + (lvl >= 0 && + Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x)) + 1) && + acc(Counter_INCREMENT(c), write) + invariant !loopVar0 ==> ret == old(Counter_state(c, lvl, x)) + { + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(Counter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(Counter_atomicity_context_fp($r, $lvl, $x))) ==> + Counter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](Counter_atomicity_context_hf($r, $lvl, $x))) + inhale acc(Counter(c, lvl, x), write) + inhale acc(c.$diamond, write) + + // ------- Stabilising regions Counter (before atomic) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region Counter + quasihavoc Counter(c, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (none < perm(c.$diamond) && + none < perm(Counter_atomicity_context_fp(c, lvl, x)) ==> + (Counter_state(c, lvl, x) in Counter_atomicity_context_hf(c, lvl, x))) && + (Counter_state(c, lvl, x) == + old[pre_stabilize2](Counter_state(c, lvl, x)) || + Counter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize2](Counter_state(c, lvl, x)) && + Counter_sk_$_action_m(c, lvl, x) == Counter_state(c, lvl, x) && + Counter_sk_$_action_n(c, lvl, x) < Counter_sk_$_action_m(c, lvl, x) && + true) + + // ------- Stabilising regions Counter (before atomic) END + + assert acc(Counter(c, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize3 + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(c, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(2, c, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(2, c, lvl, x)) == + ((none < perm(c.$diamond) && + none < perm(Counter_atomicity_context_fp(c, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(c, lvl, x))) && + ($$_m == old[pre_stabilize3](Counter_state(c, lvl, x)) || + Counter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize3](Counter_state(c, lvl, x)) && + Counter_sk_$_action_m(c, lvl, x) == $$_m && + Counter_sk_$_action_n(c, lvl, x) < Counter_sk_$_action_m(c, lvl, x) && + true))) + quasihavoc Counter(c, lvl, x) + inhale (Counter_state(c, lvl, x) in + Counter_interferenceSet_hf(2, c, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(2, c, lvl, x) == + old[pre_stabilize3](Counter_state(c, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > lvl + $_levelVar_3 := lvl + unfold acc(Counter(c, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + r := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Counter(c, lvl, x), write) + assert Counter_state(c, lvl, x) == + old[pre_open_region0](Counter_state(c, lvl, x)) + $_levelVar_4 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter (after open-region@48.7) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize4](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after open-region@48.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(c.$diamond, write) + label pre_region_update0 + assert $_levelVar_4 > lvl + $_levelVar_5 := lvl + exhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + unfold acc(Counter(c, lvl, x), write) + + // no interference context translation needed + + exhale acc(Counter(c, lvl, x), perm(Counter(c, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_5 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$f) == r ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == r + 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call0](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(Counter(c, lvl, x), write) + if (Counter_state(c, lvl, x) != + old[pre_region_update0](Counter_state(c, lvl, x))) { + inhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + c.$stepFrom_int := old[pre_region_update0](Counter_state(c, lvl, x)) + c.$stepTo_int := Counter_state(c, lvl, x) + } else { + inhale acc(c.$diamond, write) + } + inhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + inhale Counter_atomicity_context_hf(c, lvl, x) == + old[pre_region_update0](Counter_atomicity_context_hf(c, lvl, x)) + $_levelVar_6 := $_levelVar_4 + + // ------- update-region END ------- + + + // ------- Stabilising regions Counter (after update-region@51.7) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize5](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after update-region@51.7) END + + + // ------- while BEGIN ------------- + + label preWhile + while (!b) + invariant acc(Counter(c, lvl, x), write) && (lvl >= 0 && true) + invariant (!b ? acc(c.$diamond, write) : true) + invariant (b ? + acc(c.$stepFrom_int, write) && c.$stepFrom_int == r && + (acc(c.$stepTo_int, write) && c.$stepTo_int == r + 1) : + true) + { + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(Counter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(Counter_atomicity_context_fp($r, $lvl, $x))) ==> + Counter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](Counter_atomicity_context_hf($r, $lvl, $x))) + assert acc(Counter(c, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize6 + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(c, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(5, c, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(5, c, lvl, x)) == + ((none < perm(c.$diamond) && + none < perm(Counter_atomicity_context_fp(c, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(c, lvl, x))) && + ($$_m == old[pre_stabilize6](Counter_state(c, lvl, x)) || + Counter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize6](Counter_state(c, lvl, x)) && + Counter_sk_$_action_m(c, lvl, x) == $$_m && + Counter_sk_$_action_n(c, lvl, x) < + Counter_sk_$_action_m(c, lvl, x) && + true))) + quasihavoc Counter(c, lvl, x) + inhale (Counter_state(c, lvl, x) in + Counter_interferenceSet_hf(5, c, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(5, c, lvl, x) == + old[pre_stabilize6](Counter_state(c, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_6 > lvl + $_levelVar_7 := lvl + unfold acc(Counter(c, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + r := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Counter(c, lvl, x), write) + assert Counter_state(c, lvl, x) == + old[pre_open_region](Counter_state(c, lvl, x)) + $_levelVar_8 := $_levelVar_6 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter (after open-region@48.7) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize7](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after open-region@48.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(c.$diamond, write) + label pre_region_update + assert $_levelVar_8 > lvl + $_levelVar_9 := lvl + exhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + unfold acc(Counter(c, lvl, x), write) + + // no interference context translation needed + + exhale acc(Counter(c, lvl, x), perm(Counter(c, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_9 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$f) == r ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == r + 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(Counter(c, lvl, x), write) + if (Counter_state(c, lvl, x) != + old[pre_region_update](Counter_state(c, lvl, x))) { + inhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + c.$stepFrom_int := old[pre_region_update](Counter_state(c, lvl, x)) + c.$stepTo_int := Counter_state(c, lvl, x) + } else { + inhale acc(c.$diamond, write) + } + inhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + inhale Counter_atomicity_context_hf(c, lvl, x) == + old[pre_region_update](Counter_atomicity_context_hf(c, lvl, x)) + $_levelVar_10 := $_levelVar_8 + + // ------- update-region END ------- + + + // ------- Stabilising regions Counter (after update-region@51.7) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize8](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after update-region@51.7) END + + assert $_levelVar_10 == $_levelVar_6 + } + $_levelVar_11 := $_levelVar_6 + + // ------- while END --------------- + + + // ------- assign BEGIN ------------ + + ret := r + + // ------- assign END -------------- + + + // ------- Havocking regions Counter (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region Counter + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: Counter($r, $lvl, $x) + + // ------- Havocking regions Counter (after atomic) END + + assert (c.$stepFrom_int in Counter_atomicity_context_hf(c, lvl, x)) + assert c.$stepFrom_int == c.$stepTo_int || + c.$stepFrom_int < c.$stepTo_int + inhale Counter_state(c, lvl, x) == c.$stepTo_int + inhale old(Counter_state(c, lvl, x)) == c.$stepFrom_int + inhale acc(Counter_INCREMENT(c), write) + exhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + assert $_levelVar_11 == $_levelVar_1 + loopVar0 := false + } + $_levelVar_12 := $_levelVar_1 + exhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method read(c: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) + requires (Counter_state(c, lvl, x) in IntSet()) + ensures acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x))) && + acc(Counter_INCREMENT(c), write) + ensures ret == old(Counter_state(c, lvl, x)) +{ + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + inhale $_levelVar_13 >= 0 && $_levelVar_13 > lvl + assert $_levelVar_13 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_13 > lvl + $_levelVar_14 := lvl + unfold acc(Counter(c, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Counter(c, lvl, x), write) + assert Counter_state(c, lvl, x) == + old[pre_open_region2](Counter_state(c, lvl, x)) + $_levelVar_15 := $_levelVar_13 + + // ------- open-region END --------- + +} + +method wkincr(c: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) + requires (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) + ensures acc(Counter(c, lvl, x), write) && + (lvl >= 0 && + Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x)) + 1) && + acc(Counter_INCREMENT(c), write) + ensures ret == old(Counter_state(c, lvl, x)) +{ + var r: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + var $_levelVar_20: Int + var $_levelVar_21: Int + var $_levelVar_22: Int + inhale $_levelVar_16 >= 0 && $_levelVar_16 > lvl + assert $_levelVar_16 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == + Set(Counter_state(c, lvl, x)) + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar: Bool + exhale acc(Counter_INCREMENT(c), write) + exhale acc(Counter(c, lvl, x), write) + + // ------- Stabilising regions Counter (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize9](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (stabilizing frame before make-atomic) END + + $_levelVar_17 := lvl + assert perm(Counter_atomicity_context_fp(c, lvl, x)) == none + inhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + inhale Counter_atomicity_context_hf(c, lvl, x) == + Counter_interferenceSet_hf(7, c, lvl, x) + label preWhile2 + loopVar := true + while (loopVar) + invariant !loopVar ==> + acc(Counter(c, lvl, x), write) && + (lvl >= 0 && + Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x)) + 1) && + acc(Counter_INCREMENT(c), write) + invariant !loopVar ==> ret == old(Counter_state(c, lvl, x)) + { + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($r, + $lvl, $x), old[preWhile2](perm(Counter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile2](perm(Counter_atomicity_context_fp($r, $lvl, $x))) ==> + Counter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile2](Counter_atomicity_context_hf($r, $lvl, $x))) + inhale acc(Counter(c, lvl, x), write) + inhale acc(c.$diamond, write) + + // ------- Stabilising regions Counter (before atomic) BEGIN + + label pre_stabilize10 + + // Stabilising single instance of region Counter + quasihavoc Counter(c, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (none < perm(c.$diamond) && + none < perm(Counter_atomicity_context_fp(c, lvl, x)) ==> + (Counter_state(c, lvl, x) in Counter_atomicity_context_hf(c, lvl, x))) && + (Counter_state(c, lvl, x) == + old[pre_stabilize10](Counter_state(c, lvl, x)) || + Counter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize10](Counter_state(c, lvl, x)) && + Counter_sk_$_action_m(c, lvl, x) == Counter_state(c, lvl, x) && + Counter_sk_$_action_n(c, lvl, x) < Counter_sk_$_action_m(c, lvl, x) && + true) + + // ------- Stabilising regions Counter (before atomic) END + + assert acc(Counter(c, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize11 + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(c, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(8, c, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(8, c, lvl, x)) == + ((none < perm(c.$diamond) && + none < perm(Counter_atomicity_context_fp(c, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(c, lvl, x))) && + ($$_m == old[pre_stabilize11](Counter_state(c, lvl, x)) || + Counter_sk_$_action_n(c, lvl, x) == + old[pre_stabilize11](Counter_state(c, lvl, x)) && + Counter_sk_$_action_m(c, lvl, x) == $$_m && + Counter_sk_$_action_n(c, lvl, x) < Counter_sk_$_action_m(c, lvl, x) && + true))) + quasihavoc Counter(c, lvl, x) + inhale (Counter_state(c, lvl, x) in + Counter_interferenceSet_hf(8, c, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(8, c, lvl, x) == + old[pre_stabilize11](Counter_state(c, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region3 + assert $_levelVar_16 > lvl + $_levelVar_18 := lvl + unfold acc(Counter(c, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + r := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Counter(c, lvl, x), write) + assert Counter_state(c, lvl, x) == + old[pre_open_region3](Counter_state(c, lvl, x)) + $_levelVar_19 := $_levelVar_16 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter (after open-region@82.5) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize12](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize12](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize12](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after open-region@82.5) END + + + // ------- update-region BEGIN ----- + + exhale acc(c.$diamond, write) + label pre_region_update2 + assert $_levelVar_19 > lvl + $_levelVar_20 := lvl + exhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + unfold acc(Counter(c, lvl, x), write) + + // no interference context translation needed + + exhale acc(Counter(c, lvl, x), perm(Counter(c, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := r + 1 + + // ------- heap-write END ---------- + + fold acc(Counter(c, lvl, x), write) + if (Counter_state(c, lvl, x) != + old[pre_region_update2](Counter_state(c, lvl, x))) { + inhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + c.$stepFrom_int := old[pre_region_update2](Counter_state(c, lvl, x)) + c.$stepTo_int := Counter_state(c, lvl, x) + } else { + inhale acc(c.$diamond, write) + } + inhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + inhale Counter_atomicity_context_hf(c, lvl, x) == + old[pre_region_update2](Counter_atomicity_context_hf(c, lvl, x)) + $_levelVar_21 := $_levelVar_19 + + // ------- update-region END ------- + + + // ------- Stabilising regions Counter (after update-region@86.5) BEGIN + + label pre_stabilize13 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(10, $r, $lvl, $x)) } + none < old[pre_stabilize13](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(10, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize13](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize13](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(10, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(10, $r, $lvl, $x) == + old[pre_stabilize13](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after update-region@86.5) END + + + // ------- assign BEGIN ------------ + + ret := r + + // ------- assign END -------------- + + + // ------- Havocking regions Counter (after atomic) BEGIN + + label pre_havoc + + // Havocking single instance of region Counter + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: Counter($r, $lvl, $x) + + // ------- Havocking regions Counter (after atomic) END + + assert (c.$stepFrom_int in Counter_atomicity_context_hf(c, lvl, x)) + assert c.$stepFrom_int == c.$stepTo_int || + c.$stepFrom_int < c.$stepTo_int + inhale Counter_state(c, lvl, x) == c.$stepTo_int + inhale old(Counter_state(c, lvl, x)) == c.$stepFrom_int + inhale acc(Counter_INCREMENT(c), write) + exhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + assert $_levelVar_21 == $_levelVar_16 + loopVar := false + } + $_levelVar_22 := $_levelVar_16 + exhale acc(Counter_atomicity_context_fp(c, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$f, write) && true + ensures (old(x.$memcell_$f) == now ? + ret && (acc(x.$memcell_$f, write) && x.$memcell_$f == thn) : + !ret && + (acc(x.$memcell_$f, write) && x.$memcell_$f == old(x.$memcell_$f))) + + +method $_Counter_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true + + // ------- Stabilising regions Counter (check stability of region interpretation) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize14](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize14](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true +} + +method $_Counter_action_transitivity_check() +{ + var INCREMENT: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + INCREMENT + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + INCREMENT + assert aState == cState || + aState == aState && cState == cState && aState < cState && INCREMENT +} + +method $_makeCounter_condition_stability_precondition_check(r: Ref, lvl: Int, + ret: Ref) + requires lvl >= 0 +{ + var $_levelVar_24: Int + var v: Ref + inhale $_levelVar_24 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Counter (check stability of method condition) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize15](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of method condition) END + + assert lvl >= 0 +} + +method $_incr_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) +{ + var $_levelVar_25: Int + var r: Int + var b: Bool + inhale $_levelVar_25 >= 0 && $_levelVar_25 > lvl + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(10, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(10, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- Stabilising regions Counter (check stability of method condition) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize16](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of method condition) END + + assert acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) +} + +method $_read_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) +{ + var $_levelVar_26: Int + inhale $_levelVar_26 >= 0 && $_levelVar_26 > lvl + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(10, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(10, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- Stabilising regions Counter (check stability of method condition) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize17](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize17](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of method condition) END + + assert acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) +} + +method $_wkincr_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) +{ + var $_levelVar_27: Int + var r: Int + inhale $_levelVar_27 >= 0 && $_levelVar_27 > lvl + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(10, c, lvl, x) == + Set(Counter_state(c, lvl, x)) + inhale Counter_interferenceReference_hf(10, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- Stabilising regions Counter (check stability of method condition) BEGIN + + label pre_stabilize18 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize18](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize18](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize18](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of method condition) END + + assert acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_INCREMENT(c), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoin-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoin-I.vl.vpr new file mode 100644 index 00000000..e83e8794 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoin-I.vl.vpr @@ -0,0 +1,964 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Join_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function Join_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Join_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function Join_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function comprehension_41_220(): Set[Int] + ensures (forall $k: Int ::($k in result) == true) + + +function Join_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_atomicity_context_fp(r, lvl, x), write) + ensures [Join_atomicity_context_df(r, lvl, x), true] + + +function Join_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in Join_interferenceSet_df($p0, r, lvl, x))), + true] + + +function Join_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [Join_interferenceReference_df($p0, r, lvl, x), true] + + +function Join_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(Join(r, lvl, x), write) + ensures [Join_state_T(r, lvl, x), true] +{ + (unfolding acc(Join(r, lvl, x), write) in x.$memcell_$f) +} + +predicate Join_SET($r: Ref) + +predicate Join_Z($r: Ref) + +predicate Join_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_sk_fp() + +predicate Join(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_Join() + + +method ___silicon_hack407_havoc_all_Join_interferenceContext_fp() + + +method makeJoin(lvl: Int) returns (ret: Ref, r: Ref) + requires lvl >= 0 + ensures acc(Join(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) +{ + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(ret.$memcell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + ret.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Join (after heap-write@22.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize0](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](Join_state($r, $lvl, $x))) + + // ------- Stabilising regions Join (after heap-write@22.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(Join_SET(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Join(r, lvl, ret), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method set_to_one(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_SET(r), write) +{ + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Join_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_1 > lvl + $_levelVar_2 := lvl + exhale acc(Join_SET(r), write) + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Join_SET(r), write) + exhale acc(Join(r, lvl, x), perm(Join(r, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 1 + + // ------- heap-write END ---------- + + fold acc(Join(r, lvl, x), write) + assert old[pre_use_atomic0](Join_state(r, lvl, x)) == + Join_state(r, lvl, x) || + 0 == old[pre_use_atomic0](Join_state(r, lvl, x)) && + 1 == Join_state(r, lvl, x) + $_levelVar_3 := $_levelVar_1 + + // ------- use-atomic END ---------- + +} + +method wait(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == Join_state(r, lvl, x)) && + acc(Join_Z(r), write) + requires (Join_state(r, lvl, x) in comprehension_41_220()) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_Z(r), write) +{ + var v: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + inhale $_levelVar_4 >= 0 && $_levelVar_4 > lvl + assert $_levelVar_4 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Join_interferenceSet_hf(1, r, lvl, x) == comprehension_41_220() + inhale Join_interferenceReference_hf(1, r, lvl, x) == + old(Join_state(r, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(Join_Z(r), write) + exhale acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (stabilizing frame before make-atomic) END + + $_levelVar_5 := lvl + assert perm(Join_atomicity_context_fp(r, lvl, x)) == none + inhale acc(Join_atomicity_context_fp(r, lvl, x), write) + inhale Join_atomicity_context_hf(r, lvl, x) == + Join_interferenceSet_hf(1, r, lvl, x) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_Z(r), write) + { + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))) ==> + Join_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](Join_atomicity_context_hf($r, $lvl, $x))) + inhale acc(Join(r, lvl, x), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions Join (before atomic) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region Join + quasihavoc Join(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + (Join_state(r, lvl, x) in Join_atomicity_context_hf(r, lvl, x))) && + (Join_state(r, lvl, x) == old[pre_stabilize2](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize2](Join_state(r, lvl, x)) && + 1 == Join_state(r, lvl, x) && + true && + true) + + // ------- Stabilising regions Join (before atomic) END + + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize3 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(2, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(2, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize3](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize3](Join_state(r, lvl, x)) && 1 == $$_m && + true && + true))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in Join_interferenceSet_hf(2, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(2, r, lvl, x) == + old[pre_stabilize3](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_4 > lvl + $_levelVar_6 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region0](Join_state(r, lvl, x)) + $_levelVar_7 := $_levelVar_4 + + // ------- open-region END --------- + + + // ------- Stabilising regions Join (after open-region@53.7) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize4](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize4](Join_state($r, $lvl, $x))) + + // ------- Stabilising regions Join (after open-region@53.7) END + + + // ------- if-then-else BEGIN ------ + + if (v == 1) { + + // ------- assert BEGIN ------------ + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) + + // ------- assert END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(r.$diamond, write) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(r.$stepFrom_int, write) && r.$stepFrom_int == 1 && + (acc(r.$stepTo_int, write) && r.$stepTo_int == 1) + + // ------- inhale END -------------- + + assert $_levelVar_7 == $_levelVar_7 + } + $_levelVar_8 := $_levelVar_7 + + // ------- if-then-else END -------- + + + // ------- while BEGIN ------------- + + label preWhile + while (v == 0) + invariant acc(Join(r, lvl, x), write) && (lvl >= 0 && true) + invariant (v == 0 ? + Join_state(r, lvl, x) >= 0 && acc(r.$diamond, write) : + Join_state(r, lvl, x) == 1 && + (acc(r.$stepFrom_int, write) && + r.$stepFrom_int == Join_state(r, lvl, x) && + (acc(r.$stepTo_int, write) && + r.$stepTo_int == Join_state(r, lvl, x)))) + { + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(Join_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(Join_atomicity_context_fp($r, $lvl, $x))) ==> + Join_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](Join_atomicity_context_hf($r, $lvl, $x))) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize5 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(4, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(4, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize5](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize5](Join_state(r, lvl, x)) && 1 == $$_m && + true && + true))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in + Join_interferenceSet_hf(4, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(4, r, lvl, x) == + old[pre_stabilize5](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_8 > lvl + $_levelVar_9 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region](Join_state(r, lvl, x)) + $_levelVar_10 := $_levelVar_8 + + // ------- open-region END --------- + + + // ------- Stabilising regions Join (after open-region@53.7) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize6](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize6](Join_state($r, $lvl, $x))) + + // ------- Stabilising regions Join (after open-region@53.7) END + + + // ------- if-then-else BEGIN ------ + + if (v == 1) { + + // ------- assert BEGIN ------------ + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) + + // ------- assert END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(r.$diamond, write) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(r.$stepFrom_int, write) && r.$stepFrom_int == 1 && + (acc(r.$stepTo_int, write) && r.$stepTo_int == 1) + + // ------- inhale END -------------- + + assert $_levelVar_10 == $_levelVar_10 + } + $_levelVar_11 := $_levelVar_10 + + // ------- if-then-else END -------- + + assert $_levelVar_11 == $_levelVar_8 + } + $_levelVar_12 := $_levelVar_8 + + // ------- while END --------------- + + + // ------- Havocking regions Join (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region Join + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: Join($r, $lvl, $x) + + // ------- Havocking regions Join (after atomic) END + + assert (r.$stepFrom_int in Join_atomicity_context_hf(r, lvl, x)) + assert r.$stepFrom_int == r.$stepTo_int + inhale Join_state(r, lvl, x) == r.$stepTo_int + inhale old(Join_state(r, lvl, x)) == r.$stepFrom_int + inhale acc(Join_Z(r), write) + exhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + assert $_levelVar_12 == $_levelVar_4 + loopVar0 := false + } + $_levelVar_13 := $_levelVar_4 + exhale acc(Join_atomicity_context_fp(r, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method $_Join_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) + + // ------- Stabilising regions Join (check stability of region interpretation) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize7](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize7](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +method $_Join_action_transitivity_check() +{ + var SET: Bool + var Z: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && SET + inhale bState == cState || 0 == bState && 1 == cState && true && SET + assert aState == cState || 0 == aState && 1 == cState && true && SET +} + +method $_makeJoin_condition_stability_precondition_check(lvl: Int, ret: Ref, + r: Ref) + requires lvl >= 0 +{ + var $_levelVar_14: Int + inhale $_levelVar_14 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Join (check stability of method condition) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize8](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize8](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of method condition) END + + assert lvl >= 0 +} + +method $_set_to_one_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) +{ + var $_levelVar_15: Int + inhale $_levelVar_15 >= 0 && $_levelVar_15 > lvl + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Join (check stability of method condition) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize9](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize9](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) +} + +method $_wait_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == Join_state(r, lvl, x)) && + acc(Join_Z(r), write) +{ + var $_levelVar_16: Int + var v: Int + inhale $_levelVar_16 >= 0 && $_levelVar_16 > lvl + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale Join_interferenceSet_hf(5, r, lvl, x) == comprehension_41_220() + inhale Join_interferenceReference_hf(5, r, lvl, x) == + old(Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (check stability of method condition) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize10](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize10](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == Join_state(r, lvl, x)) && + acc(Join_Z(r), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoinClient-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoinClient-I.vl.vpr new file mode 100644 index 00000000..803bf2f8 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/ForkJoinClient-I.vl.vpr @@ -0,0 +1,3123 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Flag_state_T(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref): Bool + + function Join_state_T(r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_state_T(r: Ref, lvl: Int): Bool +} + +domain interferenceReference_Domain { + + function Flag_interferenceReference_df($p0: Int, r: Ref, alvl: Int, s: Ref, + lvl: Int, x: Ref, y: Ref): Bool + + function Join_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_interferenceReference_df($p0: Int, r: Ref, lvl: Int): Bool +} + +domain interferenceSet_Domain { + + function Flag_interferenceSet_df($p0: Int, r: Ref, alvl: Int, s: Ref, lvl: Int, + x: Ref, y: Ref): Set[Int] + + function Join_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + + function LevelDummy_interferenceSet_df($p0: Int, r: Ref, lvl: Int): Set[Int] +} + +domain atomicity_context_Domain { + + function Flag_atomicity_context_df(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref): Bool + + function Join_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_atomicity_context_df(r: Ref, lvl: Int): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function comprehension_104_220(): Set[Int] + ensures (forall $k: Int ::($k in result) == true) + + +function Flag_atomicity_context_hf(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref): Set[Int] + requires acc(Flag_atomicity_context_fp(r, alvl, s, lvl, x, y), write) + ensures [Flag_atomicity_context_df(r, alvl, s, lvl, x, y), true] + + +function Flag_interferenceSet_hf($p0: Int, r: Ref, alvl: Int, s: Ref, lvl: Int, + x: Ref, y: Ref): Set[Int] + requires acc(Flag_interferenceContext_fp(r, alvl, s, lvl, x, y), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Flag_interferenceSet_df($p0, r, alvl, s, lvl, x, y))), + true] + + +function Flag_interferenceReference_hf($p0: Int, r: Ref, alvl: Int, s: Ref, + lvl: Int, x: Ref, y: Ref): Int + requires acc(Flag_interferenceContext_fp(r, alvl, s, lvl, x, y), write) + ensures [Flag_interferenceReference_df($p0, r, alvl, s, lvl, x, y), true] + + +function Flag_state(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref): Int + requires acc(Flag(r, alvl, s, lvl, x, y), write) + ensures [Flag_state_T(r, alvl, s, lvl, x, y), true] +{ + (unfolding acc(Flag(r, alvl, s, lvl, x, y), write) in x.$memcell_$f) +} + +function Join_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_atomicity_context_fp(r, lvl, x), write) + ensures [Join_atomicity_context_df(r, lvl, x), true] + + +function Join_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in Join_interferenceSet_df($p0, r, lvl, x))), + true] + + +function Join_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [Join_interferenceReference_df($p0, r, lvl, x), true] + + +function Join_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(Join(r, lvl, x), write) + ensures [Join_state_T(r, lvl, x), true] +{ + (unfolding acc(Join(r, lvl, x), write) in x.$memcell_$f) +} + +function LevelDummy_atomicity_context_hf(r: Ref, lvl: Int): Set[Int] + requires acc(LevelDummy_atomicity_context_fp(r, lvl), write) + ensures [LevelDummy_atomicity_context_df(r, lvl), true] + + +function LevelDummy_interferenceSet_hf($p0: Int, r: Ref, lvl: Int): Set[Int] + requires acc(LevelDummy_interferenceContext_fp(r, lvl), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in LevelDummy_interferenceSet_df($p0, r, lvl))), + true] + + +function LevelDummy_interferenceReference_hf($p0: Int, r: Ref, lvl: Int): Int + requires acc(LevelDummy_interferenceContext_fp(r, lvl), write) + ensures [LevelDummy_interferenceReference_df($p0, r, lvl), true] + + +function LevelDummy_state(r: Ref, lvl: Int): Int + requires acc(LevelDummy(r, lvl), write) + ensures [LevelDummy_state_T(r, lvl), true] +{ + (unfolding acc(LevelDummy(r, lvl), write) in 0) +} + +predicate Flag_SFLAG($r: Ref) + +predicate Flag_atomicity_context_fp(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref) + +predicate Flag_interferenceContext_fp(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref) + +predicate Flag_sk_fp() + +predicate Flag(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) && + (x.$memcell_$f == 0 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && Join_state(s, lvl, y) == 0) && + lvl < alvl && + acc(Join_SET(s), write) : + true) && + (x.$memcell_$f == 1 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && true) && lvl < alvl : + true) +} + +predicate Join_SET($r: Ref) + +predicate Join_Z($r: Ref) + +predicate Join_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_sk_fp() + +predicate Join(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +predicate LevelDummy_LevelDummyG($r: Ref) + +predicate LevelDummy_atomicity_context_fp(r: Ref, lvl: Int) + +predicate LevelDummy_interferenceContext_fp(r: Ref, lvl: Int) + +predicate LevelDummy_sk_fp() + +predicate LevelDummy(r: Ref, lvl: Int) { + true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_Flag() + + +method ___silicon_hack407_havoc_all_Flag_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_Join() + + +method ___silicon_hack407_havoc_all_Join_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_LevelDummy() + + +method ___silicon_hack407_havoc_all_LevelDummy_interferenceContext_fp() + + +method thread2(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref) + requires acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) +{ + var $_levelVar_0: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + inhale $_levelVar_0 >= 0 && $_levelVar_0 > alvl + assert $_levelVar_0 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + assert acc(Flag(r, alvl, s, lvl, x, y), write) + + // ------- Stabilising regions Flag (infer context for use-atomic) BEGIN + + label pre_stabilize0 + + // Stabilising single instance of region Flag + quasihavoc Flag_interferenceContext_fp(r, alvl, s, lvl, x, y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(1, r, alvl, s, lvl, x, y)) } + ($$_m in Flag_interferenceSet_hf(1, r, alvl, s, lvl, x, y)) == + ((none < perm(r.$diamond) && + none < perm(Flag_atomicity_context_fp(r, alvl, s, lvl, x, y)) ==> + ($$_m in Flag_atomicity_context_hf(r, alvl, s, lvl, x, y))) && + ($$_m == old[pre_stabilize0](Flag_state(r, alvl, s, lvl, x, y)) || + 0 == old[pre_stabilize0](Flag_state(r, alvl, s, lvl, x, y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG(r)) == none))) + quasihavoc Flag(r, alvl, s, lvl, x, y) + inhale (Flag_state(r, alvl, s, lvl, x, y) in + Flag_interferenceSet_hf(1, r, alvl, s, lvl, x, y)) + + // havoc performed by other front resource + + inhale Flag_interferenceReference_hf(1, r, alvl, s, lvl, x, y) == + old[pre_stabilize0](Flag_state(r, alvl, s, lvl, x, y)) + + // ------- Stabilising regions Flag (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Flag_atomicity_context_fp(r, alvl, s, lvl, x, y)) == none + assert $_levelVar_0 > alvl + $_levelVar_1 := alvl + exhale acc(Flag_SFLAG(r), write) + unfold acc(Flag(r, alvl, s, lvl, x, y), write) + label transitionPre0 + quasihavoc Join_interferenceContext_fp(s, lvl, y) + + // no additional linking required + + + // havoc performed by other front resource + + inhale x.$memcell_$f == 0 ==> + Join_interferenceReference_hf(1, s, lvl, y) == + old[transitionPre0](Join_state(s, lvl, y)) + + // havoc performed by other front resource + + inhale x.$memcell_$f == 1 ==> + Join_interferenceReference_hf(1, s, lvl, y) == + old[transitionPre0](Join_state(s, lvl, y)) + inhale acc(Flag_SFLAG(r), write) + exhale acc(Flag(r, alvl, s, lvl, x, y), perm(Flag(r, alvl, s, lvl, x, y))) + + // ------- assert BEGIN ------------ + + assert acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 1 + + // ------- heap-write END ---------- + + fold acc(Flag(r, alvl, s, lvl, x, y), write) + assert old[pre_use_atomic0](Flag_state(r, alvl, s, lvl, x, y)) == + Flag_state(r, alvl, s, lvl, x, y) || + 0 == old[pre_use_atomic0](Flag_state(r, alvl, s, lvl, x, y)) && + 1 == Flag_state(r, alvl, s, lvl, x, y) + $_levelVar_2 := $_levelVar_0 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after use-atomic@18.3) BEGIN + + label pre_stabilize + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(2, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(2, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(2, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(2, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(2, $r, $lvl)) } + none < old[pre_stabilize](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(2, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(2, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(2, $r, $lvl) == + old[pre_stabilize](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after use-atomic@18.3) END + + + // ------- call:set_to_one BEGIN --- + + label pre_call0 + assert $_levelVar_2 >= 0 && $_levelVar_2 > lvl + assert true + exhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + acc(Join_SET(s), write) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:set_to_one@25.3) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize2](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize2](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize2](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize2](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize2](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize2](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize2](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:set_to_one@25.3) END + + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 1) && + acc(Join_SET(s), write) + + // ------- call:set_to_one END ----- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after call:set_to_one@25.3) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(3, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize3](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(3, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize3](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize3](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize3](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(3, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize3](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(3, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize3](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize3](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize3](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(3, $r, $lvl)) } + none < old[pre_stabilize3](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(3, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize3](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize3](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(3, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize3](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(3, $r, $lvl) == + old[pre_stabilize3](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after call:set_to_one@25.3) END + +} + +method main(dummy: Ref, lvl: Int, alvl: Int) + returns (x: Ref, y: Ref, r: Ref, s: Ref, ret: Int) + requires alvl > lvl && lvl >= 0 && + (acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true)) + ensures acc(Flag(r, alvl, s, lvl, x, y), write) && (alvl >= 0 && true) && + ret == 1 +{ + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + inhale $_levelVar_3 >= 0 && $_levelVar_3 > alvl + assert $_levelVar_3 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(x.$memcell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@35.3) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(4, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize4](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(4, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize4](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize4](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize4](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(4, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize4](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(4, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize4](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize4](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize4](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(4, $r, $lvl)) } + none < old[pre_stabilize4](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(4, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize4](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize4](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(4, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize4](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(4, $r, $lvl) == + old[pre_stabilize4](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@35.3) END + + + // ------- call:makeJoin BEGIN ----- + + assert true + label pre_call + assert $_levelVar_3 >= 0 + assert true + exhale lvl >= 0 + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:makeJoin@37.3) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize5](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize5](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize5](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize5](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize5](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize5](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize5](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:makeJoin@37.3) END + + y := havoc_Ref() + s := havoc_Ref() + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + acc(Join_SET(s), write) && + acc(Join_Z(s), write) + + // ------- call:makeJoin END ------- + + + // ------- assert BEGIN ------------ + + assert acc(Join(s, lvl, y), write) && (lvl >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Join(s, lvl, y), write) && (lvl >= 0 && true) + + // ------- inhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Flag_SFLAG(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Flag(r, alvl, s, lvl, x, y), write) + assert alvl >= 0 && true + + // ------- fold END ---------------- + + + // ------- assert BEGIN ------------ + + assert acc(Flag(r, alvl, s, lvl, x, y), write) && (alvl >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Flag(r, alvl, s, lvl, x, y), write) && (alvl >= 0 && true) + + // ------- inhale END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) + + // ------- exhale END -------------- + + + // skip; + + + // ------- Stabilising regions Flag,Join,LevelDummy (after skip@53.3) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(5, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize6](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(5, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize6](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize6](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize6](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(5, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize6](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(5, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize6](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize6](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize6](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(5, $r, $lvl)) } + none < old[pre_stabilize6](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(5, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize6](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize6](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(5, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize6](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(5, $r, $lvl) == + old[pre_stabilize6](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after skip@53.3) END + + + // ------- call:wait BEGIN --------- + + assert (forall $_m: Int :: + { ($_m in Join_interferenceSet_hf(5, s, lvl, y)) } + ($_m in Join_interferenceSet_hf(5, s, lvl, y)) ==> + ($_m in comprehension_104_220())) + label pre_call2 + assert $_levelVar_3 >= 0 && $_levelVar_3 > lvl + assert true + exhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == Join_state(s, lvl, y)) && + acc(Join_Z(s), write) && + (Join_state(s, lvl, y) in comprehension_104_220()) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:wait@55.3) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize7](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize7](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize7](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize7](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize7](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize7](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize7](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:wait@55.3) END + + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 1) && + acc(Join_Z(s), write) + + // ------- call:wait END ----------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after call:wait@55.3) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(6, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize8](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(6, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize8](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize8](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize8](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(6, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize8](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(6, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize8](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize8](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize8](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(6, $r, $lvl)) } + none < old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(6, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize8](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(6, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(6, $r, $lvl) == + old[pre_stabilize8](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after call:wait@55.3) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_3 > alvl + $_levelVar_4 := alvl + unfold acc(Flag(r, alvl, s, lvl, x, y), write) + label transitionPre + quasihavoc Join_interferenceContext_fp(s, lvl, y) + + // no additional linking required + + + // havoc performed by other front resource + + inhale x.$memcell_$f == 0 ==> + Join_interferenceReference_hf(6, s, lvl, y) == + old[transitionPre](Join_state(s, lvl, y)) + + // havoc performed by other front resource + + inhale x.$memcell_$f == 1 ==> + Join_interferenceReference_hf(6, s, lvl, y) == + old[transitionPre](Join_state(s, lvl, y)) + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Flag(r, alvl, s, lvl, x, y), write) + assert Flag_state(r, alvl, s, lvl, x, y) == + old[pre_open_region0](Flag_state(r, alvl, s, lvl, x, y)) + $_levelVar_5 := $_levelVar_3 + + // ------- open-region END --------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@57.3) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(7, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize9](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(7, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize9](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize9](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize9](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(7, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize9](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(7, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize9](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize9](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize9](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize9](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize9](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(7, $r, $lvl)) } + none < old[pre_stabilize9](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(7, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize9](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize9](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(7, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize9](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(7, $r, $lvl) == + old[pre_stabilize9](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@57.3) END + +} + +method makeJoin(lvl: Int) returns (ret: Ref, r: Ref) + requires lvl >= 0 + ensures acc(Join(r, lvl, ret), write) && + (lvl >= 0 && Join_state(r, lvl, ret) == 0) && + acc(Join_SET(r), write) && + acc(Join_Z(r), write) +{ + var $_levelVar_6: Int + inhale $_levelVar_6 >= 0 + assert $_levelVar_6 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(ret.$memcell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + ret.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@85.3) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(8, $r, $alvl, $s, $lvl, $x, $y)) } + none < + old[pre_stabilize10](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(8, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize10](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize10](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize10](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(8, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize10](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(8, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize10](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(8, $r, $lvl, $x)) } + none < old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(8, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize10](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize10](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(8, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(8, $r, $lvl, $x) == + old[pre_stabilize10](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(8, $r, $lvl)) } + none < old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(8, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize10](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(8, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(8, $r, $lvl) == + old[pre_stabilize10](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@85.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(Join_SET(r), write) && acc(Join_Z(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Join(r, lvl, ret), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method set_to_one(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 0) && + acc(Join_SET(r), write) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_SET(r), write) +{ + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + inhale $_levelVar_7 >= 0 && $_levelVar_7 > lvl + assert $_levelVar_7 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(Join_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + exhale acc(Join_SET(r), write) + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Join_SET(r), write) + exhale acc(Join(r, lvl, x), perm(Join(r, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 1 + + // ------- heap-write END ---------- + + fold acc(Join(r, lvl, x), write) + assert old[pre_use_atomic](Join_state(r, lvl, x)) == + Join_state(r, lvl, x) || + 0 == old[pre_use_atomic](Join_state(r, lvl, x)) && + 1 == Join_state(r, lvl, x) + $_levelVar_9 := $_levelVar_7 + + // ------- use-atomic END ---------- + +} + +method wait(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == Join_state(r, lvl, x)) && + acc(Join_Z(r), write) + requires (Join_state(r, lvl, x) in comprehension_104_220()) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_Z(r), write) +{ + var v: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + inhale $_levelVar_10 >= 0 && $_levelVar_10 > lvl + assert $_levelVar_10 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale Join_interferenceSet_hf(8, r, lvl, x) == comprehension_104_220() + inhale Join_interferenceReference_hf(8, r, lvl, x) == + old(Join_state(r, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(Join_Z(r), write) + exhale acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Flag,Join,LevelDummy (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize11](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize11](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize11](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize11](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize11](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize11](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize11](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (stabilizing frame before make-atomic) END + + $_levelVar_11 := lvl + assert perm(Join_atomicity_context_fp(r, lvl, x)) == none + inhale acc(Join_atomicity_context_fp(r, lvl, x), write) + inhale Join_atomicity_context_hf(r, lvl, x) == + Join_interferenceSet_hf(8, r, lvl, x) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_Z(r), write) + { + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_atomicity_context_fp($r, + $alvl, $s, $lvl, $x, $y), old[preWhile0](perm(Flag_atomicity_context_fp($r, + $alvl, $s, $lvl, $x, $y))))) + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref :: + { Flag_atomicity_context_df($r, $alvl, $s, $lvl, $x, $y) } + none < + old[preWhile0](perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, + $y))) ==> + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y) == + old[preWhile0](Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))) ==> + Join_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](Join_atomicity_context_hf($r, $lvl, $x))) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_atomicity_context_fp($r, + $lvl), old[preWhile0](perm(LevelDummy_atomicity_context_fp($r, $lvl))))) + inhale (forall $r: Ref, $lvl: Int :: + { LevelDummy_atomicity_context_df($r, $lvl) } + none < + old[preWhile0](perm(LevelDummy_atomicity_context_fp($r, $lvl))) ==> + LevelDummy_atomicity_context_hf($r, $lvl) == + old[preWhile0](LevelDummy_atomicity_context_hf($r, $lvl))) + inhale acc(Join(r, lvl, x), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions Join (before atomic) BEGIN + + label pre_stabilize12 + + // Stabilising single instance of region Join + quasihavoc Join(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + (Join_state(r, lvl, x) in Join_atomicity_context_hf(r, lvl, x))) && + (Join_state(r, lvl, x) == old[pre_stabilize12](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize12](Join_state(r, lvl, x)) && + 1 == Join_state(r, lvl, x) && + true && + perm(Join_SET(r)) == none) + + // ------- Stabilising regions Join (before atomic) END + + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize13 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(9, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(9, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize13](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize13](Join_state(r, lvl, x)) && 1 == $$_m && + true && + perm(Join_SET(r)) == none))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in Join_interferenceSet_hf(9, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(9, r, lvl, x) == + old[pre_stabilize13](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_10 > lvl + $_levelVar_12 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region](Join_state(r, lvl, x)) + $_levelVar_13 := $_levelVar_10 + + // ------- open-region END --------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@116.7) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in + Flag_interferenceSet_df(10, $r, $alvl, $s, $lvl, $x, $y)) } + none < + old[pre_stabilize14](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in + Flag_interferenceSet_hf(10, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < + perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize14](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == + old[pre_stabilize14](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: none < + old[pre_stabilize14](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(10, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: none < + old[pre_stabilize14](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(10, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize14](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(10, $r, $lvl, $x)) } + none < old[pre_stabilize14](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(10, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize14](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize14](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(10, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(10, $r, $lvl, $x) == + old[pre_stabilize14](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(10, $r, $lvl)) } + none < old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(10, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize14](LevelDummy_state($r, $lvl)) || + false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(10, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(10, $r, $lvl) == + old[pre_stabilize14](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@116.7) END + + + // ------- if-then-else BEGIN ------ + + if (v == 1) { + + // ------- assert BEGIN ------------ + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) + + // ------- assert END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(r.$diamond, write) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(r.$stepFrom_int, write) && r.$stepFrom_int == 1 && + (acc(r.$stepTo_int, write) && r.$stepTo_int == 1) + + // ------- inhale END -------------- + + assert $_levelVar_13 == $_levelVar_13 + } + $_levelVar_14 := $_levelVar_13 + + // ------- if-then-else END -------- + + + // ------- while BEGIN ------------- + + label preWhile + while (v == 0) + invariant acc(Join(r, lvl, x), write) && (lvl >= 0 && true) + invariant (v == 0 ? + Join_state(r, lvl, x) >= 0 && acc(r.$diamond, write) : + Join_state(r, lvl, x) == 1 && + (acc(r.$stepFrom_int, write) && + r.$stepFrom_int == Join_state(r, lvl, x) && + (acc(r.$stepTo_int, write) && + r.$stepTo_int == Join_state(r, lvl, x)))) + { + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_atomicity_context_fp($r, + $alvl, $s, $lvl, $x, $y), old[preWhile](perm(Flag_atomicity_context_fp($r, + $alvl, $s, $lvl, $x, $y))))) + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref :: + { Flag_atomicity_context_df($r, $alvl, $s, $lvl, $x, $y) } + none < + old[preWhile](perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, + $x, $y))) ==> + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y) == + old[preWhile](Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(Join_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(Join_atomicity_context_fp($r, $lvl, $x))) ==> + Join_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](Join_atomicity_context_hf($r, $lvl, $x))) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_atomicity_context_fp($r, + $lvl), old[preWhile](perm(LevelDummy_atomicity_context_fp($r, $lvl))))) + inhale (forall $r: Ref, $lvl: Int :: + { LevelDummy_atomicity_context_df($r, $lvl) } + none < + old[preWhile](perm(LevelDummy_atomicity_context_fp($r, $lvl))) ==> + LevelDummy_atomicity_context_hf($r, $lvl) == + old[preWhile](LevelDummy_atomicity_context_hf($r, $lvl))) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize15 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(11, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(11, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize15](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize15](Join_state(r, lvl, x)) && 1 == $$_m && + true && + perm(Join_SET(r)) == none))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in + Join_interferenceSet_hf(11, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(11, r, lvl, x) == + old[pre_stabilize15](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_14 > lvl + $_levelVar_15 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region2](Join_state(r, lvl, x)) + $_levelVar_16 := $_levelVar_14 + + // ------- open-region END --------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@116.7) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in + Flag_interferenceSet_df(12, $r, $alvl, $s, $lvl, $x, $y)) } + none < + old[pre_stabilize16](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in + Flag_interferenceSet_hf(12, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < + perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize16](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == + old[pre_stabilize16](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: none < + old[pre_stabilize16](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(12, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: none < + old[pre_stabilize16](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(12, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize16](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(12, $r, $lvl, $x)) } + none < old[pre_stabilize16](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(12, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize16](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize16](Join_state($r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(12, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(12, $r, $lvl, $x) == + old[pre_stabilize16](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(12, $r, $lvl)) } + none < old[pre_stabilize16](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(12, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize16](LevelDummy_state($r, $lvl)) || + false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize16](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(12, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize16](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(12, $r, $lvl) == + old[pre_stabilize16](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@116.7) END + + + // ------- if-then-else BEGIN ------ + + if (v == 1) { + + // ------- assert BEGIN ------------ + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) + + // ------- assert END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(r.$diamond, write) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(r.$stepFrom_int, write) && r.$stepFrom_int == 1 && + (acc(r.$stepTo_int, write) && r.$stepTo_int == 1) + + // ------- inhale END -------------- + + assert $_levelVar_16 == $_levelVar_16 + } + $_levelVar_17 := $_levelVar_16 + + // ------- if-then-else END -------- + + assert $_levelVar_17 == $_levelVar_14 + } + $_levelVar_18 := $_levelVar_14 + + // ------- while END --------------- + + + // ------- Havocking regions Join (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region Join + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: Join($r, $lvl, $x) + + // ------- Havocking regions Join (after atomic) END + + assert (r.$stepFrom_int in Join_atomicity_context_hf(r, lvl, x)) + assert r.$stepFrom_int == r.$stepTo_int + inhale Join_state(r, lvl, x) == r.$stepTo_int + inhale old(Join_state(r, lvl, x)) == r.$stepFrom_int + inhale acc(Join_Z(r), write) + exhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + assert $_levelVar_18 == $_levelVar_10 + loopVar0 := false + } + $_levelVar_19 := $_levelVar_10 + exhale acc(Join_atomicity_context_fp(r, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method $_Flag_interpretation_stability_check(r: Ref, alvl: Int, s: Ref, lvl: Int, + x: Ref, y: Ref) +{ + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) && + (x.$memcell_$f == 0 ? + acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + lvl < alvl && + acc(Join_SET(s), write) : + true) && + (x.$memcell_$f == 1 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && true) && lvl < alvl : + true) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize17](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize17](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize17](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize17](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize17](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize17](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize17](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) && + (x.$memcell_$f == 0 ? + acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + lvl < alvl && + acc(Join_SET(s), write) : + true) && + (x.$memcell_$f == 1 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && true) && lvl < alvl : + true) +} + +method $_Flag_action_transitivity_check() +{ + var SFLAG: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && SFLAG + inhale bState == cState || 0 == bState && 1 == cState && true && SFLAG + assert aState == cState || 0 == aState && 1 == cState && true && SFLAG +} + +method $_Join_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize18 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize18](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize18](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize18](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize18](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize18](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize18](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize18](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize18](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +method $_Join_action_transitivity_check() +{ + var SET: Bool + var Z: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && SET + inhale bState == cState || 0 == bState && 1 == cState && true && SET + assert aState == cState || 0 == aState && 1 == cState && true && SET +} + +method $_LevelDummy_interpretation_stability_check(r: Ref, lvl: Int) +{ + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale true + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize19](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize19](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize19](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize19](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize19](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize19](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize19](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) END + + assert true +} + +method $_LevelDummy_action_transitivity_check() +{ + var LevelDummyG: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState + inhale bState == cState + assert aState == cState +} + +method $_thread2_condition_stability_precondition_check(r: Ref, alvl: Int, s: Ref, + lvl: Int, x: Ref, y: Ref) + requires acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) +{ + var $_levelVar_20: Int + inhale $_levelVar_20 >= 0 && $_levelVar_20 > alvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize20 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize20](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize20](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize20](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize20](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize20](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize20](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize20](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize20](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) +} + +method $_main_condition_stability_precondition_check(dummy: Ref, lvl: Int, alvl: Int, + x: Ref, y: Ref, r: Ref, s: Ref, ret: Int) + requires alvl > lvl && lvl >= 0 && + (acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true)) +{ + var $_levelVar_21: Int + inhale $_levelVar_21 >= 0 && $_levelVar_21 > alvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize21 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize21](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize21](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize21](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize21](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize21](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize21](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize21](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert alvl > lvl && lvl >= 0 && + (acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true)) +} + +method $_makeJoin_condition_stability_precondition_check(lvl: Int, ret: Ref, + r: Ref) + requires lvl >= 0 +{ + var $_levelVar_22: Int + inhale $_levelVar_22 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize22 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize22](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize22](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize22](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize22](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize22](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize22](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize22](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize22](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert lvl >= 0 +} + +method $_set_to_one_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 0) && + acc(Join_SET(r), write) +{ + var $_levelVar_23: Int + inhale $_levelVar_23 >= 0 && $_levelVar_23 > lvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize23 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize23](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize23](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize23](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize23](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize23](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize23](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize23](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize23](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 0) && + acc(Join_SET(r), write) +} + +method $_wait_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == Join_state(r, lvl, x)) && + acc(Join_Z(r), write) +{ + var $_levelVar_24: Int + var v: Int + inhale $_levelVar_24 >= 0 && $_levelVar_24 > lvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale Join_interferenceSet_hf(12, r, lvl, x) == comprehension_104_220() + inhale Join_interferenceReference_hf(12, r, lvl, x) == + old(Join_state(r, lvl, x)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize24 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize24](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize24](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize24](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize24](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize24](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize24](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize24](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize24](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == Join_state(r, lvl, x)) && + acc(Join_Z(r), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/IncDec-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/IncDec-I.vl.vpr new file mode 100644 index 00000000..9763df5a --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/IncDec-I.vl.vpr @@ -0,0 +1,2115 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function IncDec_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function IncDec_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function IncDec_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function IncDec_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$val: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function IncDec_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(IncDec_atomicity_context_fp(r, lvl, x), write) + ensures [IncDec_atomicity_context_df(r, lvl, x), true] + + +function IncDec_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(IncDec_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in IncDec_interferenceSet_df($p0, r, lvl, x))), + true] + + +function IncDec_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec_interferenceContext_fp(r, lvl, x), write) + ensures [IncDec_interferenceReference_df($p0, r, lvl, x), true] + + +function IncDec_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec_sk_fp(), write) + + +function IncDec_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec_sk_fp(), write) + + +function IncDec_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec(r, lvl, x), write) + ensures [IncDec_state_T(r, lvl, x), true] +{ + (unfolding acc(IncDec(r, lvl, x), write) in x.$memcell_$val) +} + +predicate IncDec_INC($r: Ref) + +predicate IncDec_DEC($r: Ref) + +predicate IncDec_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate IncDec_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate IncDec_sk_fp() + +predicate IncDec(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$val, write) && true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_IncDec() + + +method ___silicon_hack407_havoc_all_IncDec_interferenceContext_fp() + + +method makeCounter(lvl: Int, r: Ref) returns (ret: Ref) + requires lvl >= 0 + ensures acc(IncDec(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(IncDec_INC(r), write) && + acc(IncDec_DEC(r), write) +{ + var v: Ref + var w: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(v.$memcell_$val, write) && true + w := v.$memcell_$val + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + v.$memcell_$val := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions IncDec (after heap-write@30.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after heap-write@30.3) END + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(IncDec_INC(r), write) && acc(IncDec_DEC(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(IncDec(r, lvl, ret), write) + assert lvl >= 0 && IncDec_state(r, lvl, ret) == 0 + + // ------- fold END ---------------- + +} + +method increment(r: Ref, lvl: Int, x: Ref, k: Int) returns (ret: Int) + requires acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && IncDec_state(r, lvl, x) == IncDec_state(r, lvl, x)) && + acc(IncDec_INC(r), write) && + k > 0 + requires (IncDec_state(r, lvl, x) in IntSet()) + ensures acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && + IncDec_state(r, lvl, x) == old(IncDec_state(r, lvl, x)) + k) && + acc(IncDec_INC(r), write) +{ + var b: Bool + var v: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale IncDec_interferenceSet_hf(1, r, lvl, x) == IntSet() + inhale IncDec_interferenceReference_hf(1, r, lvl, x) == + old(IncDec_state(r, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(IncDec_INC(r), write) + exhale acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (true && true)))) + + // ------- Stabilising regions IncDec (stabilizing frame before make-atomic) END + + $_levelVar_2 := lvl + assert perm(IncDec_atomicity_context_fp(r, lvl, x)) == none + inhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + inhale IncDec_atomicity_context_hf(r, lvl, x) == + IncDec_interferenceSet_hf(1, r, lvl, x) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && + IncDec_state(r, lvl, x) == old(IncDec_state(r, lvl, x)) + k) && + acc(IncDec_INC(r), write) + { + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(IncDec_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { IncDec_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(IncDec_atomicity_context_fp($r, $lvl, $x))) ==> + IncDec_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](IncDec_atomicity_context_hf($r, $lvl, $x))) + inhale acc(IncDec(r, lvl, x), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions IncDec (before atomic) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region IncDec + quasihavoc IncDec(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + (IncDec_state(r, lvl, x) in IncDec_atomicity_context_hf(r, lvl, x))) && + (IncDec_state(r, lvl, x) == + old[pre_stabilize2](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize2](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == IncDec_state(r, lvl, x) && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize2](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == IncDec_state(r, lvl, x) && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize2](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == IncDec_state(r, lvl, x) && + true && + (true && true))) + + // ------- Stabilising regions IncDec (before atomic) END + + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize3 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(2, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(2, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize3](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize3](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize3](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize3](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && true))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(2, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(2, r, lvl, x) == + old[pre_stabilize3](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > lvl + $_levelVar_3 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region0](IncDec_state(r, lvl, x)) + $_levelVar_4 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@54.7) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize4](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@54.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update0 + assert $_levelVar_4 > lvl + $_levelVar_5 := lvl + exhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_5 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v + k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call0](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + if (IncDec_state(r, lvl, x) != + old[pre_region_update0](IncDec_state(r, lvl, x))) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update0](IncDec_state(r, lvl, x)) + r.$stepTo_int := IncDec_state(r, lvl, x) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + inhale IncDec_atomicity_context_hf(r, lvl, x) == + old[pre_region_update0](IncDec_atomicity_context_hf(r, lvl, x)) + $_levelVar_6 := $_levelVar_4 + + // ------- update-region END ------- + + + // ------- Stabilising regions IncDec (after update-region@58.7) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after update-region@58.7) END + + + // ------- while BEGIN ------------- + + label preWhile + while (!b) + invariant acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + k > 0 + invariant (!b ? acc(r.$diamond, write) : true) + invariant (b ? + acc(r.$stepFrom_int, write) && r.$stepFrom_int == v && + (acc(r.$stepTo_int, write) && r.$stepTo_int == v + k) : + true) + { + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(IncDec_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { IncDec_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(IncDec_atomicity_context_fp($r, $lvl, $x))) ==> + IncDec_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](IncDec_atomicity_context_hf($r, $lvl, $x))) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize6 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(5, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(5, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize6](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize6](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize6](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize6](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && true))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(5, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(5, r, lvl, x) == + old[pre_stabilize6](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_6 > lvl + $_levelVar_7 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region](IncDec_state(r, lvl, x)) + $_levelVar_8 := $_levelVar_6 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@54.7) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize7](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@54.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update + assert $_levelVar_8 > lvl + $_levelVar_9 := lvl + exhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_9 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v + k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + if (IncDec_state(r, lvl, x) != + old[pre_region_update](IncDec_state(r, lvl, x))) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update](IncDec_state(r, lvl, x)) + r.$stepTo_int := IncDec_state(r, lvl, x) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + inhale IncDec_atomicity_context_hf(r, lvl, x) == + old[pre_region_update](IncDec_atomicity_context_hf(r, lvl, x)) + $_levelVar_10 := $_levelVar_8 + + // ------- update-region END ------- + + + // ------- Stabilising regions IncDec (after update-region@58.7) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after update-region@58.7) END + + assert $_levelVar_10 == $_levelVar_6 + } + $_levelVar_11 := $_levelVar_6 + + // ------- while END --------------- + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- Havocking regions IncDec (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region IncDec + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: IncDec($r, $lvl, $x) + + // ------- Havocking regions IncDec (after atomic) END + + assert (r.$stepFrom_int in IncDec_atomicity_context_hf(r, lvl, x)) + assert r.$stepFrom_int == r.$stepTo_int || + r.$stepFrom_int < r.$stepTo_int + inhale IncDec_state(r, lvl, x) == r.$stepTo_int + inhale old(IncDec_state(r, lvl, x)) == r.$stepFrom_int + inhale acc(IncDec_INC(r), write) + exhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + assert $_levelVar_11 == $_levelVar_1 + loopVar0 := false + } + $_levelVar_12 := $_levelVar_1 + exhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method decrement(r: Ref, lvl: Int, x: Ref, k: Int) returns (ret: Int) + requires acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && IncDec_state(r, lvl, x) == IncDec_state(r, lvl, x)) && + acc(IncDec_DEC(r), write) && + k > 0 + requires (IncDec_state(r, lvl, x) in IntSet()) + ensures acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && + IncDec_state(r, lvl, x) == old(IncDec_state(r, lvl, x)) - k) && + acc(IncDec_DEC(r), write) +{ + var b: Bool + var v: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + var $_levelVar_20: Int + var $_levelVar_21: Int + var $_levelVar_22: Int + var $_levelVar_23: Int + var $_levelVar_24: Int + inhale $_levelVar_13 >= 0 && $_levelVar_13 > lvl + assert $_levelVar_13 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale IncDec_interferenceSet_hf(7, r, lvl, x) == IntSet() + inhale IncDec_interferenceReference_hf(7, r, lvl, x) == + old(IncDec_state(r, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar: Bool + exhale acc(IncDec_DEC(r), write) + exhale acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (true && true)))) + + // ------- Stabilising regions IncDec (stabilizing frame before make-atomic) END + + $_levelVar_14 := lvl + assert perm(IncDec_atomicity_context_fp(r, lvl, x)) == none + inhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + inhale IncDec_atomicity_context_hf(r, lvl, x) == + IncDec_interferenceSet_hf(7, r, lvl, x) + label preWhile2 + loopVar := true + while (loopVar) + invariant !loopVar ==> + acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && + IncDec_state(r, lvl, x) == old(IncDec_state(r, lvl, x)) - k) && + acc(IncDec_DEC(r), write) + { + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_atomicity_context_fp($r, + $lvl, $x), old[preWhile2](perm(IncDec_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { IncDec_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile2](perm(IncDec_atomicity_context_fp($r, $lvl, $x))) ==> + IncDec_atomicity_context_hf($r, $lvl, $x) == + old[preWhile2](IncDec_atomicity_context_hf($r, $lvl, $x))) + inhale acc(IncDec(r, lvl, x), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions IncDec (before atomic) BEGIN + + label pre_stabilize10 + + // Stabilising single instance of region IncDec + quasihavoc IncDec(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + (IncDec_state(r, lvl, x) in IncDec_atomicity_context_hf(r, lvl, x))) && + (IncDec_state(r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == IncDec_state(r, lvl, x) && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == IncDec_state(r, lvl, x) && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == IncDec_state(r, lvl, x) && + true && + (true && true))) + + // ------- Stabilising regions IncDec (before atomic) END + + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize11 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(8, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(8, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize11](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize11](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize11](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize11](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && true))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(8, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(8, r, lvl, x) == + old[pre_stabilize11](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_13 > lvl + $_levelVar_15 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region2](IncDec_state(r, lvl, x)) + $_levelVar_16 := $_levelVar_13 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@83.7) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize12](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize12](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@83.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update2 + assert $_levelVar_16 > lvl + $_levelVar_17 := lvl + exhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call2 + assert $_levelVar_17 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call2](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v - k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call2](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + if (IncDec_state(r, lvl, x) != + old[pre_region_update2](IncDec_state(r, lvl, x))) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update2](IncDec_state(r, lvl, x)) + r.$stepTo_int := IncDec_state(r, lvl, x) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + inhale IncDec_atomicity_context_hf(r, lvl, x) == + old[pre_region_update2](IncDec_atomicity_context_hf(r, lvl, x)) + $_levelVar_18 := $_levelVar_16 + + // ------- update-region END ------- + + + // ------- Stabilising regions IncDec (after update-region@87.7) BEGIN + + label pre_stabilize13 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(10, $r, $lvl, $x)) } + none < old[pre_stabilize13](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(10, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize13](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize13](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize13](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize13](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(10, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(10, $r, $lvl, $x) == + old[pre_stabilize13](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after update-region@87.7) END + + + // ------- while BEGIN ------------- + + label preWhile3 + while (!b) + invariant acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + k > 0 + invariant (!b ? acc(r.$diamond, write) : true) + invariant (b ? + acc(r.$stepFrom_int, write) && r.$stepFrom_int == v && + (acc(r.$stepTo_int, write) && r.$stepTo_int == v - k) : + true) + { + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_atomicity_context_fp($r, + $lvl, $x), old[preWhile3](perm(IncDec_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { IncDec_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile3](perm(IncDec_atomicity_context_fp($r, $lvl, $x))) ==> + IncDec_atomicity_context_hf($r, $lvl, $x) == + old[preWhile3](IncDec_atomicity_context_hf($r, $lvl, $x))) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize14 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(11, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(11, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize14](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize14](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize14](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize14](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && true))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(11, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(11, r, lvl, x) == + old[pre_stabilize14](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region3 + assert $_levelVar_18 > lvl + $_levelVar_19 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region3](IncDec_state(r, lvl, x)) + $_levelVar_20 := $_levelVar_18 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@83.7) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(12, $r, $lvl, $x)) } + none < old[pre_stabilize15](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(12, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize15](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(12, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(12, $r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@83.7) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update3 + assert $_levelVar_20 > lvl + $_levelVar_21 := lvl + exhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call3 + assert $_levelVar_21 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call3](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v - k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call3](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + if (IncDec_state(r, lvl, x) != + old[pre_region_update3](IncDec_state(r, lvl, x))) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update3](IncDec_state(r, lvl, x)) + r.$stepTo_int := IncDec_state(r, lvl, x) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + inhale IncDec_atomicity_context_hf(r, lvl, x) == + old[pre_region_update3](IncDec_atomicity_context_hf(r, lvl, x)) + $_levelVar_22 := $_levelVar_20 + + // ------- update-region END ------- + + + // ------- Stabilising regions IncDec (after update-region@87.7) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(13, $r, $lvl, $x)) } + none < old[pre_stabilize16](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(13, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize16](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(13, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(13, $r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after update-region@87.7) END + + assert $_levelVar_22 == $_levelVar_18 + } + $_levelVar_23 := $_levelVar_18 + + // ------- while END --------------- + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- Havocking regions IncDec (after atomic) BEGIN + + label pre_havoc + + // Havocking single instance of region IncDec + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: IncDec($r, $lvl, $x) + + // ------- Havocking regions IncDec (after atomic) END + + assert (r.$stepFrom_int in IncDec_atomicity_context_hf(r, lvl, x)) + assert r.$stepFrom_int == r.$stepTo_int || + r.$stepTo_int < r.$stepFrom_int + inhale IncDec_state(r, lvl, x) == r.$stepTo_int + inhale old(IncDec_state(r, lvl, x)) == r.$stepFrom_int + inhale acc(IncDec_DEC(r), write) + exhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + assert $_levelVar_23 == $_levelVar_13 + loopVar := false + } + $_levelVar_24 := $_levelVar_13 + exhale acc(IncDec_atomicity_context_fp(r, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method read(r: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) + ensures acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_25: Int + var $_levelVar_26: Int + var $_levelVar_27: Int + inhale $_levelVar_25 >= 0 && $_levelVar_25 > lvl + assert $_levelVar_25 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize17 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(14, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(14, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize17](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize17](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize17](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + true || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize17](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && true))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(14, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(14, r, lvl, x) == + old[pre_stabilize17](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region4 + assert $_levelVar_25 > lvl + $_levelVar_26 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region4](IncDec_state(r, lvl, x)) + $_levelVar_27 := $_levelVar_25 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@101.3) BEGIN + + label pre_stabilize18 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(15, $r, $lvl, $x)) } + none < old[pre_stabilize18](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(15, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize18](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && true)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize18](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(15, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize18](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(15, $r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@101.3) END + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$val, write) && true + ensures (old(x.$memcell_$val) == now ? + ret && (acc(x.$memcell_$val, write) && x.$memcell_$val == thn) : + !ret && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old(x.$memcell_$val))) + + +method $_IncDec_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$val, write) && true + + // ------- Stabilising regions IncDec (check stability of region interpretation) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (true && true)))) + + // ------- Stabilising regions IncDec (check stability of region interpretation) END + + assert acc(x.$memcell_$val, write) && true +} + +method $_IncDec_action_transitivity_check() +{ + var INC: Bool + var DEC: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_1_x: Int + var $_action_m_1_x: Int + var $_action_n_2_x: Int + var $_action_m_2_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var $_action_n_1_y: Int + var $_action_m_1_y: Int + var $_action_n_2_y: Int + var $_action_m_2_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + INC || + $_action_n_1_x == aState && $_action_m_1_x == bState && + $_action_m_1_x < $_action_n_1_x && + DEC || + $_action_n_2_x == aState && $_action_m_2_x == bState && true && + (INC && DEC) + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + INC || + $_action_n_1_y == bState && $_action_m_1_y == cState && + $_action_m_1_y < $_action_n_1_y && + DEC || + $_action_n_2_y == bState && $_action_m_2_y == cState && true && + (INC && DEC) + assert aState == cState || + aState == aState && cState == cState && aState < cState && INC || + aState == aState && cState == cState && cState < aState && DEC || + aState == aState && cState == cState && true && (INC && DEC) +} + +method $_makeCounter_condition_stability_precondition_check(lvl: Int, r: Ref, + ret: Ref) + requires lvl >= 0 +{ + var $_levelVar_29: Int + var v: Ref + inhale $_levelVar_29 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize20 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize20](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize20](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize20](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize20](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize20](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (true && true)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert lvl >= 0 +} + +method $_increment_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref, k: Int, ret: Int) + requires acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && IncDec_state(r, lvl, x) == IncDec_state(r, lvl, x)) && + acc(IncDec_INC(r), write) && + k > 0 +{ + var $_levelVar_30: Int + var b: Bool + var v: Int + inhale $_levelVar_30 >= 0 && $_levelVar_30 > lvl + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale IncDec_interferenceSet_hf(15, r, lvl, x) == IntSet() + inhale IncDec_interferenceReference_hf(15, r, lvl, x) == + old(IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize21 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize21](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize21](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize21](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize21](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (true && true)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && IncDec_state(r, lvl, x) == IncDec_state(r, lvl, x)) && + acc(IncDec_INC(r), write) && + k > 0 +} + +method $_decrement_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref, k: Int, ret: Int) + requires acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && IncDec_state(r, lvl, x) == IncDec_state(r, lvl, x)) && + acc(IncDec_DEC(r), write) && + k > 0 +{ + var $_levelVar_31: Int + var b: Bool + var v: Int + inhale $_levelVar_31 >= 0 && $_levelVar_31 > lvl + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale IncDec_interferenceSet_hf(15, r, lvl, x) == IntSet() + inhale IncDec_interferenceReference_hf(15, r, lvl, x) == + old(IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize22 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize22](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize22](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize22](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize22](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize22](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (true && true)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert acc(IncDec(r, lvl, x), write) && + (lvl >= 0 && IncDec_state(r, lvl, x) == IncDec_state(r, lvl, x)) && + acc(IncDec_DEC(r), write) && + k > 0 +} + +method $_read_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_32: Int + inhale $_levelVar_32 >= 0 && $_levelVar_32 > lvl + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize23 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize23](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize23](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize23](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize23](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + true || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize23](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (true && true)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/SpinLock-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/SpinLock-I.vl.vpr new file mode 100644 index 00000000..2d6460b6 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/SpinLock-I.vl.vpr @@ -0,0 +1,958 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function SLock_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function SLock_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function SLock_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function SLock_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function SLock_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(SLock_atomicity_context_fp(r, lvl, x), write) + ensures [SLock_atomicity_context_df(r, lvl, x), true] + + +function SLock_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(SLock_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in SLock_interferenceSet_df($p0, r, lvl, x))), + true] + + +function SLock_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(SLock_interferenceContext_fp(r, lvl, x), write) + ensures [SLock_interferenceReference_df($p0, r, lvl, x), true] + + +function SLock_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(SLock(r, lvl, x), write) + ensures [SLock_state_T(r, lvl, x), true] +{ + (unfolding acc(SLock(r, lvl, x), write) in x.$memcell_$f) +} + +predicate SLock_LOCK($r: Ref) + +predicate SLock_UNLOCK($r: Ref) + +predicate SLock_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate SLock_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate SLock_sk_fp() + +predicate SLock(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 ? acc(SLock_UNLOCK(r), write) : true) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_SLock() + + +method ___silicon_hack407_havoc_all_SLock_interferenceContext_fp() + + +method makeLock(lvl: Int) returns (ret: Ref, r: Ref) + requires lvl >= 0 + ensures acc(SLock(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(SLock_LOCK(r), write) +{ + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(ret.$memcell_$f, write) && ret.$memcell_$f == 0 + + // ------- inhale END -------------- + + + // ------- havoc BEGIN ------------- + + r := havoc_Ref() + + // ------- havoc END --------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(SLock_LOCK(r), write) && acc(SLock_UNLOCK(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(SLock(r, lvl, ret), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method acquire(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == SLock_state(r, lvl, x)) && + acc(SLock_LOCK(r), write) + requires (SLock_state(r, lvl, x) in Set(0, 1)) + ensures acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_LOCK(r), write) && + acc(SLock_UNLOCK(r), write) + ensures old(SLock_state(r, lvl, x)) == 0 +{ + var b: Bool + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale SLock_interferenceSet_hf(0, r, lvl, x) == Set(0, 1) + inhale SLock_interferenceReference_hf(0, r, lvl, x) == + old(SLock_state(r, lvl, x)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(SLock_LOCK(r), write) + exhale acc(SLock(r, lvl, x), write) + + // ------- Stabilising regions SLock (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize0](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize0](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize0](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none))) + + // ------- Stabilising regions SLock (stabilizing frame before make-atomic) END + + $_levelVar_2 := lvl + assert perm(SLock_atomicity_context_fp(r, lvl, x)) == none + inhale acc(SLock_atomicity_context_fp(r, lvl, x), write) + inhale SLock_atomicity_context_hf(r, lvl, x) == + SLock_interferenceSet_hf(0, r, lvl, x) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_LOCK(r), write) && + acc(SLock_UNLOCK(r), write) + invariant !loopVar0 ==> old(SLock_state(r, lvl, x)) == 0 + { + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(SLock_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { SLock_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(SLock_atomicity_context_fp($r, $lvl, $x))) ==> + SLock_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](SLock_atomicity_context_hf($r, $lvl, $x))) + inhale acc(SLock(r, lvl, x), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions SLock (before atomic) BEGIN + + label pre_stabilize + + // Stabilising single instance of region SLock + quasihavoc SLock(r, lvl, x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < perm(SLock_atomicity_context_fp(r, lvl, x)) ==> + (SLock_state(r, lvl, x) in SLock_atomicity_context_hf(r, lvl, x))) && + (SLock_state(r, lvl, x) == old[pre_stabilize](SLock_state(r, lvl, x)) || + (0 == old[pre_stabilize](SLock_state(r, lvl, x)) && + 1 == SLock_state(r, lvl, x) && + true && + true || + 1 == old[pre_stabilize](SLock_state(r, lvl, x)) && + 0 == SLock_state(r, lvl, x) && + true && + perm(SLock_UNLOCK(r)) == none)) + + // ------- Stabilising regions SLock (before atomic) END + + assert acc(SLock(r, lvl, x), write) + + // ------- Stabilising regions SLock (infer context for update-region) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region SLock + quasihavoc SLock_interferenceContext_fp(r, lvl, x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(1, r, lvl, x)) } + ($$_m in SLock_interferenceSet_hf(1, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(SLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in SLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize2](SLock_state(r, lvl, x)) || + (0 == old[pre_stabilize2](SLock_state(r, lvl, x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize2](SLock_state(r, lvl, x)) && 0 == $$_m && + true && + perm(SLock_UNLOCK(r)) == none)))) + quasihavoc SLock(r, lvl, x) + inhale (SLock_state(r, lvl, x) in + SLock_interferenceSet_hf(1, r, lvl, x)) + + // havoc performed by other front resource + + inhale SLock_interferenceReference_hf(1, r, lvl, x) == + old[pre_stabilize2](SLock_state(r, lvl, x)) + + // ------- Stabilising regions SLock (infer context for update-region) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update0 + assert $_levelVar_1 > lvl + $_levelVar_3 := lvl + exhale acc(SLock_atomicity_context_fp(r, lvl, x), write) + unfold acc(SLock(r, lvl, x), write) + + // no interference context translation needed + + exhale acc(SLock(r, lvl, x), perm(SLock(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_3 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$f) == 0 ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call0](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(SLock(r, lvl, x), write) + if (SLock_state(r, lvl, x) != + old[pre_region_update0](SLock_state(r, lvl, x))) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update0](SLock_state(r, lvl, x)) + r.$stepTo_int := SLock_state(r, lvl, x) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(SLock_atomicity_context_fp(r, lvl, x), write) + inhale SLock_atomicity_context_hf(r, lvl, x) == + old[pre_region_update0](SLock_atomicity_context_hf(r, lvl, x)) + $_levelVar_4 := $_levelVar_1 + + // ------- update-region END ------- + + + // ------- Stabilising regions SLock (after update-region@51.7) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(SLock($r, $lvl, $x))) ==> + ($$_m in SLock_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in SLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize3](SLock_state($r, $lvl, $x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize3](SLock_state($r, $lvl, $x)) && 0 == $$_m && + true && + perm(SLock_UNLOCK($r)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(SLock($r, $lvl, $x))) ==> + (SLock_state($r, $lvl, $x) in + SLock_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(SLock($r, $lvl, $x))) ==> + SLock_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize3](SLock_state($r, $lvl, $x))) + + // ------- Stabilising regions SLock (after update-region@51.7) END + + + // ------- while BEGIN ------------- + + label preWhile + while (!b) + invariant acc(SLock(r, lvl, x), write) && (lvl >= 0 && true) + invariant (!b ? acc(r.$diamond, write) : true) + invariant (b ? + acc(r.$stepFrom_int, write) && r.$stepFrom_int == 0 && + (acc(r.$stepTo_int, write) && r.$stepTo_int == 1) && + acc(SLock_UNLOCK(r), write) : + true) + { + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(SLock_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { SLock_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(SLock_atomicity_context_fp($r, $lvl, $x))) ==> + SLock_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](SLock_atomicity_context_hf($r, $lvl, $x))) + assert acc(SLock(r, lvl, x), write) + + // ------- Stabilising regions SLock (infer context for update-region) BEGIN + + label pre_stabilize4 + + // Stabilising single instance of region SLock + quasihavoc SLock_interferenceContext_fp(r, lvl, x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(3, r, lvl, x)) } + ($$_m in SLock_interferenceSet_hf(3, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(SLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in SLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize4](SLock_state(r, lvl, x)) || + (0 == old[pre_stabilize4](SLock_state(r, lvl, x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize4](SLock_state(r, lvl, x)) && 0 == $$_m && + true && + perm(SLock_UNLOCK(r)) == none)))) + quasihavoc SLock(r, lvl, x) + inhale (SLock_state(r, lvl, x) in + SLock_interferenceSet_hf(3, r, lvl, x)) + + // havoc performed by other front resource + + inhale SLock_interferenceReference_hf(3, r, lvl, x) == + old[pre_stabilize4](SLock_state(r, lvl, x)) + + // ------- Stabilising regions SLock (infer context for update-region) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update + assert $_levelVar_4 > lvl + $_levelVar_5 := lvl + exhale acc(SLock_atomicity_context_fp(r, lvl, x), write) + unfold acc(SLock(r, lvl, x), write) + + // no interference context translation needed + + exhale acc(SLock(r, lvl, x), perm(SLock(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_5 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$f) == 0 ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(SLock(r, lvl, x), write) + if (SLock_state(r, lvl, x) != + old[pre_region_update](SLock_state(r, lvl, x))) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update](SLock_state(r, lvl, x)) + r.$stepTo_int := SLock_state(r, lvl, x) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(SLock_atomicity_context_fp(r, lvl, x), write) + inhale SLock_atomicity_context_hf(r, lvl, x) == + old[pre_region_update](SLock_atomicity_context_hf(r, lvl, x)) + $_levelVar_6 := $_levelVar_4 + + // ------- update-region END ------- + + + // ------- Stabilising regions SLock (after update-region@51.7) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(SLock($r, $lvl, $x))) ==> + ($$_m in SLock_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in SLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize5](SLock_state($r, $lvl, $x)) && + 1 == $$_m && + true && + true || + 1 == old[pre_stabilize5](SLock_state($r, $lvl, $x)) && + 0 == $$_m && + true && + perm(SLock_UNLOCK($r)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(SLock($r, $lvl, $x))) ==> + (SLock_state($r, $lvl, $x) in + SLock_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(SLock($r, $lvl, $x))) ==> + SLock_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize5](SLock_state($r, $lvl, $x))) + + // ------- Stabilising regions SLock (after update-region@51.7) END + + assert $_levelVar_6 == $_levelVar_4 + } + $_levelVar_7 := $_levelVar_4 + + // ------- while END --------------- + + + // ------- Havocking regions SLock (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region SLock + quasihavocall $r: Ref, $lvl: Int, $x: Ref :: SLock($r, $lvl, $x) + + // ------- Havocking regions SLock (after atomic) END + + assert (r.$stepFrom_int in SLock_atomicity_context_hf(r, lvl, x)) + assert r.$stepFrom_int == r.$stepTo_int || + 0 == r.$stepFrom_int && 1 == r.$stepTo_int + inhale SLock_state(r, lvl, x) == r.$stepTo_int + inhale old(SLock_state(r, lvl, x)) == r.$stepFrom_int + inhale acc(SLock_LOCK(r), write) + exhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + assert $_levelVar_7 == $_levelVar_1 + loopVar0 := false + } + $_levelVar_8 := $_levelVar_1 + exhale acc(SLock_atomicity_context_fp(r, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method release(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_UNLOCK(r), write) + ensures acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 0) +{ + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + inhale $_levelVar_9 >= 0 && $_levelVar_9 > lvl + assert $_levelVar_9 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(SLock_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_9 > lvl + $_levelVar_10 := lvl + exhale acc(SLock_UNLOCK(r), write) + unfold acc(SLock(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(SLock_UNLOCK(r), write) + exhale acc(SLock(r, lvl, x), perm(SLock(r, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 0 + + // ------- heap-write END ---------- + + fold acc(SLock(r, lvl, x), write) + assert old[pre_use_atomic0](SLock_state(r, lvl, x)) == + SLock_state(r, lvl, x) || + 1 == old[pre_use_atomic0](SLock_state(r, lvl, x)) && + 0 == SLock_state(r, lvl, x) + $_levelVar_11 := $_levelVar_9 + + // ------- use-atomic END ---------- + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$f, write) && true + ensures (old(x.$memcell_$f) == now ? + ret && (acc(x.$memcell_$f, write) && x.$memcell_$f == thn) : + !ret && + (acc(x.$memcell_$f, write) && x.$memcell_$f == old(x.$memcell_$f))) + + +method $_SLock_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 ? acc(SLock_UNLOCK(r), write) : true) + + // ------- Stabilising regions SLock (check stability of region interpretation) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize6](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize6](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize6](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none))) + + // ------- Stabilising regions SLock (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 ? acc(SLock_UNLOCK(r), write) : true) +} + +method $_SLock_action_transitivity_check() +{ + var LOCK: Bool + var UNLOCK: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && LOCK || + 1 == aState && 0 == bState && true && UNLOCK + inhale bState == cState || 0 == bState && 1 == cState && true && LOCK || + 1 == bState && 0 == cState && true && UNLOCK + assert aState == cState || 0 == aState && 1 == cState && true && LOCK || + 1 == aState && 0 == cState && true && UNLOCK +} + +method $_makeLock_condition_stability_precondition_check(lvl: Int, ret: Ref, + r: Ref) + requires lvl >= 0 +{ + var $_levelVar_13: Int + inhale $_levelVar_13 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions SLock (check stability of method condition) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize7](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize7](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize7](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none))) + + // ------- Stabilising regions SLock (check stability of method condition) END + + assert lvl >= 0 +} + +method $_acquire_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == SLock_state(r, lvl, x)) && + acc(SLock_LOCK(r), write) +{ + var $_levelVar_14: Int + var b: Bool + inhale $_levelVar_14 >= 0 && $_levelVar_14 > lvl + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale SLock_interferenceSet_hf(4, r, lvl, x) == Set(0, 1) + inhale SLock_interferenceReference_hf(4, r, lvl, x) == + old(SLock_state(r, lvl, x)) + + // ------- Stabilising regions SLock (check stability of method condition) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize8](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize8](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize8](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none))) + + // ------- Stabilising regions SLock (check stability of method condition) END + + assert acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == SLock_state(r, lvl, x)) && + acc(SLock_LOCK(r), write) +} + +method $_release_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_UNLOCK(r), write) +{ + var $_levelVar_15: Int + inhale $_levelVar_15 >= 0 && $_levelVar_15 > lvl + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions SLock (check stability of method condition) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize9](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize9](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize9](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none))) + + // ------- Stabilising regions SLock (check stability of method condition) END + + assert acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_UNLOCK(r), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLock-ISpec.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLock-ISpec.vl.vpr new file mode 100644 index 00000000..98590410 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLock-ISpec.vl.vpr @@ -0,0 +1,2860 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function TLock_TICKET_T($r: Ref, n: Int): Bool + + function TLock_state_T(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, ry: Ref, + ylvl: Int, y: Ref): Bool + + function Counter_state_T(c: Ref, lvl: Int, x: Ref): Bool + + axiom TLock_TICKET_T_bottom { + (forall $r: Ref, n: Int :: + { TLock_TICKET_T($r, n) } + TLock_TICKET_T($r, n)) + } +} + +domain interferenceReference_Domain { + + function TLock_interferenceReference_df($p0: Int, r: Ref, alvl: Int, rx: Ref, + xlvl: Int, x: Ref, ry: Ref, ylvl: Int, y: Ref): Bool + + function Counter_interferenceReference_df($p0: Int, c: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function TLock_interferenceSet_df($p0: Int, r: Ref, alvl: Int, rx: Ref, xlvl: Int, + x: Ref, ry: Ref, ylvl: Int, y: Ref): Set[Int] + + function Counter_interferenceSet_df($p0: Int, c: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function TLock_atomicity_context_df(r: Ref, alvl: Int, rx: Ref, xlvl: Int, + x: Ref, ry: Ref, ylvl: Int, y: Ref): Bool + + function Counter_atomicity_context_df(c: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $cell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function comprehension_13_280($s_0: Int, $s_1: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == ($s_0 <= $k && $k < $s_1)) + + +function comprehension_9_150($s_0: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == $k >= $s_0) + + +function comprehension_38_170(): Set[Int] + ensures (forall $k: Int ::($k in result) == $k >= 0) + + +function TLock_atomicity_context_hf(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, + ry: Ref, ylvl: Int, y: Ref): Set[Int] + requires acc(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + ensures [TLock_atomicity_context_df(r, alvl, rx, xlvl, x, ry, ylvl, y), + true] + + +function TLock_interferenceSet_hf($p0: Int, r: Ref, alvl: Int, rx: Ref, xlvl: Int, + x: Ref, ry: Ref, ylvl: Int, y: Ref): Set[Int] + requires acc(TLock_interferenceContext_fp(r, alvl, rx, xlvl, x, ry, ylvl, + y), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in + TLock_interferenceSet_df($p0, r, alvl, rx, xlvl, x, ry, ylvl, y))), + true] + + +function TLock_interferenceReference_hf($p0: Int, r: Ref, alvl: Int, rx: Ref, + xlvl: Int, x: Ref, ry: Ref, ylvl: Int, y: Ref): Int + requires acc(TLock_interferenceContext_fp(r, alvl, rx, xlvl, x, ry, ylvl, + y), write) + ensures [TLock_interferenceReference_df($p0, r, alvl, rx, xlvl, x, ry, ylvl, + y), + true] + + +function TLock_sk_$_action_n(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, + ry: Ref, ylvl: Int, y: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_sk_$_action_m(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, + ry: Ref, ylvl: Int, y: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_out0(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, ry: Ref, + ylvl: Int, y: Ref): Int + requires acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) +{ + (unfolding acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) in + Counter_state(ry, ylvl, y)) +} + +function TLock_state(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, ry: Ref, + ylvl: Int, y: Ref): Int + requires acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + ensures [TLock_state_T(r, alvl, rx, xlvl, x, ry, ylvl, y), true] +{ + (unfolding acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) in + Counter_state(rx, xlvl, x)) +} + +function Counter_atomicity_context_hf(c: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_atomicity_context_fp(c, lvl, x), write) + ensures [Counter_atomicity_context_df(c, lvl, x), true] + + +function Counter_interferenceSet_hf($p0: Int, c: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_interferenceContext_fp(c, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Counter_interferenceSet_df($p0, c, lvl, x))), + true] + + +function Counter_interferenceReference_hf($p0: Int, c: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_interferenceContext_fp(c, lvl, x), write) + ensures [Counter_interferenceReference_df($p0, c, lvl, x), true] + + +function Counter_sk_$_action_n(c: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_sk_$_action_m(c: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_state(c: Ref, lvl: Int, x: Ref): Int + requires acc(Counter(c, lvl, x), write) + ensures [Counter_state_T(c, lvl, x), true] +{ + (unfolding acc(Counter(c, lvl, x), write) in x.$cell_$f) +} + +predicate TLock_TICKET($r: Ref, n: Int) + +predicate TLock_Z($r: Ref) + +predicate TLock_atomicity_context_fp(r: Ref, alvl: Int, rx: Ref, xlvl: Int, + x: Ref, ry: Ref, ylvl: Int, y: Ref) + +predicate TLock_interferenceContext_fp(r: Ref, alvl: Int, rx: Ref, xlvl: Int, + x: Ref, ry: Ref, ylvl: Int, y: Ref) + +predicate TLock_sk_fp() + +predicate TLock(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, ry: Ref, ylvl: Int, + y: Ref) { + acc(Counter(rx, xlvl, x), write) && (xlvl >= 0 && true) && + acc(Counter_G(rx), write) && + xlvl < alvl && + (acc(Counter(ry, ylvl, y), write) && (ylvl >= 0 && true)) && + acc(Counter_G(ry), write) && + ylvl < alvl && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) } + ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) } + ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) ==> + acc(TLock_TICKET(r, $a), write))) && + Counter_state(ry, ylvl, y) >= Counter_state(rx, xlvl, x) +} + +predicate Counter_G($r: Ref) + +predicate Counter_atomicity_context_fp(c: Ref, lvl: Int, x: Ref) + +predicate Counter_interferenceContext_fp(c: Ref, lvl: Int, x: Ref) + +predicate Counter_sk_fp() + +predicate Counter(c: Ref, lvl: Int, x: Ref) { + acc(x.$cell_$f, write) && true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_TLock() + + +method ___silicon_hack407_havoc_all_TLock_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_Counter() + + +method ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() + + +method makeLock(alvl: Int, xlvl: Int, ylvl: Int) + returns (x: Ref, y: Ref, r: Ref, rx: Ref, ry: Ref) + requires xlvl >= 0 && ylvl >= 0 && alvl > xlvl && alvl > ylvl + ensures acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && true) +{ + var k: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(x.$cell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$cell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions TLock,Counter (after heap-write@23.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock_interferenceContext_fp($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: (forall $$_m: Int :: + { ($$_m in + TLock_interferenceSet_df(1, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)) } + none < + old[pre_stabilize0](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + ($$_m in + TLock_interferenceSet_hf(1, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)) == + ((none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + ($$_m in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + ($$_m == + old[pre_stabilize0](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize0](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + $$_m && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize0](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_interferenceSet_hf(1, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize0](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + TLock_interferenceReference_hf(1, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y) == + old[pre_stabilize0](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$c, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(1, $c, $lvl, $x)) } + none < old[pre_stabilize0](perm(Counter($c, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(1, $c, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && + ($$_m == old[pre_stabilize0](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize0](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == $$_m && + true && + perm(Counter_G($c)) == none)))) + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Counter($c, $lvl, $x))) ==> + (Counter_state($c, $lvl, $x) in + Counter_interferenceSet_hf(1, $c, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Counter($c, $lvl, $x))) ==> + Counter_interferenceReference_hf(1, $c, $lvl, $x) == + old[pre_stabilize0](Counter_state($c, $lvl, $x))) + + // ------- Stabilising regions TLock,Counter (after heap-write@23.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(y.$cell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + y.$cell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions TLock,Counter (after heap-write@27.3) BEGIN + + label pre_stabilize + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock_interferenceContext_fp($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: (forall $$_m: Int :: + { ($$_m in + TLock_interferenceSet_df(2, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)) } + none < + old[pre_stabilize](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + ($$_m in + TLock_interferenceSet_hf(2, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)) == + ((none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + ($$_m in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + ($$_m == + old[pre_stabilize](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + $$_m && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_interferenceSet_hf(2, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) ==> + TLock_interferenceReference_hf(2, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y) == + old[pre_stabilize](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$c, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(2, $c, $lvl, $x)) } + none < old[pre_stabilize](perm(Counter($c, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(2, $c, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && + ($$_m == old[pre_stabilize](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == $$_m && + true && + perm(Counter_G($c)) == none)))) + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize](perm(Counter($c, $lvl, $x))) ==> + (Counter_state($c, $lvl, $x) in + Counter_interferenceSet_hf(2, $c, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize](perm(Counter($c, $lvl, $x))) ==> + Counter_interferenceReference_hf(2, $c, $lvl, $x) == + old[pre_stabilize](Counter_state($c, $lvl, $x))) + + // ------- Stabilising regions TLock,Counter (after heap-write@27.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(Counter_G(rx), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Counter(rx, xlvl, x), write) + assert xlvl >= 0 && true + + // ------- fold END ---------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Counter_G(ry), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Counter(ry, ylvl, y), write) + assert ylvl >= 0 && true + + // ------- fold END ---------------- + + + // ------- inhale BEGIN ------------ + + inhale (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_38_170()) } + ($a in comprehension_38_170()) ==> TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_38_170()) } + ($a in comprehension_38_170()) ==> acc(TLock_TICKET(r, $a), write)) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + assert alvl >= 0 && true + + // ------- fold END ---------------- + +} + +method acquire(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, ry: Ref, ylvl: Int, + y: Ref) + requires acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + acc(TLock_Z(r), write) + requires (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) in IntSet()) + ensures acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + acc(TLock_Z(r), write) && + (TLock_TICKET_T(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + acc(TLock_TICKET(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))), write)) +{ + var t: Int + var v: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > alvl + assert $_levelVar_1 >= 0 + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(2, r, alvl, rx, xlvl, x, ry, ylvl, y) == + IntSet() + inhale TLock_interferenceReference_hf(2, r, alvl, rx, xlvl, x, ry, ylvl, y) == + old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(TLock_Z(r), write) + exhale acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + + // ------- Stabilising regions TLock,Counter (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize2](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize2](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize2](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize2](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize2](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (stabilizing frame before make-atomic) END + + $_levelVar_2 := alvl + assert perm(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y)) == + none + inhale acc(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + inhale TLock_atomicity_context_hf(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_interferenceSet_hf(2, r, alvl, rx, xlvl, x, ry, ylvl, y) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + acc(TLock_Z(r), write) && + (TLock_TICKET_T(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + acc(TLock_TICKET(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))), write)) + { + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, + $xlvl, $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), old[preWhile0](perm(TLock_atomicity_context_fp($r, + $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))))) + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref :: + { TLock_atomicity_context_df($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y) } + none < + old[preWhile0](perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) ==> + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[preWhile0](TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y))) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($c, + $lvl, $x), old[preWhile0](perm(Counter_atomicity_context_fp($c, $lvl, + $x))))) + inhale (forall $c: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($c, $lvl, $x) } + none < + old[preWhile0](perm(Counter_atomicity_context_fp($c, $lvl, $x))) ==> + Counter_atomicity_context_hf($c, $lvl, $x) == + old[preWhile0](Counter_atomicity_context_hf($c, $lvl, $x))) + inhale acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + inhale acc(r.$diamond, write) + + // ------- Stabilising regions TLock (before atomic) BEGIN + + label pre_stabilize3 + + // Stabilising single instance of region TLock + quasihavoc TLock(r, alvl, rx, xlvl, x, ry, ylvl, y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (none < perm(r.$diamond) && + none < + perm(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y)) ==> + (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) in + TLock_atomicity_context_hf(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old[pre_stabilize3](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) || + TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old[pre_stabilize3](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) && + TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, y) < + TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y) && + (forall $$a: Int :: + { TLock_TICKET_T(r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, + y), TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, + y), TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y))) ==> + perm(TLock_TICKET(r, $$a)) == none)) + + // ------- Stabilising regions TLock (before atomic) END + + assert acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + + // ------- Stabilising regions TLock (infer context for open-region) BEGIN + + label pre_stabilize4 + + // Stabilising single instance of region TLock + quasihavoc TLock_interferenceContext_fp(r, alvl, rx, xlvl, x, ry, ylvl, + y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in + TLock_interferenceSet_df(3, r, alvl, rx, xlvl, x, ry, ylvl, y)) } + ($$_m in + TLock_interferenceSet_hf(3, r, alvl, rx, xlvl, x, ry, ylvl, y)) == + ((none < perm(r.$diamond) && + none < + perm(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y)) ==> + ($$_m in + TLock_atomicity_context_hf(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + ($$_m == + old[pre_stabilize4](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) || + TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old[pre_stabilize4](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y) == $$_m && + TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, y) < + TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y) && + (forall $$a: Int :: + { TLock_TICKET_T(r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, + ylvl, y), TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, + ylvl, y), TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y))) ==> + perm(TLock_TICKET(r, $$a)) == none)))) + quasihavoc TLock(r, alvl, rx, xlvl, x, ry, ylvl, y) + inhale (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) in + TLock_interferenceSet_hf(3, r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // havoc performed by other front resource + + inhale TLock_interferenceReference_hf(3, r, alvl, rx, xlvl, x, ry, ylvl, + y) == + old[pre_stabilize4](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // ------- Stabilising regions TLock (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > alvl + $_levelVar_3 := alvl + unfold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + label transitionPre0 + quasihavoc Counter_interferenceContext_fp(rx, xlvl, x) + quasihavoc Counter_interferenceContext_fp(ry, ylvl, y) + inhale (forall $_m0: Int :: + { ($_m0 in Counter_interferenceSet_df(3, rx, xlvl, x)) } + ($_m0 in + TLock_interferenceSet_hf(3, r, alvl, rx, xlvl, x, ry, ylvl, y)) == + ($_m0 in Counter_interferenceSet_hf(3, rx, xlvl, x))) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(3, rx, xlvl, x) == + old[transitionPre0](Counter_state(rx, xlvl, x)) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(3, ry, ylvl, y) == + old[transitionPre0](Counter_state(ry, ylvl, y)) + + // ------- call:incr BEGIN --------- + + assert (forall $_m: Int :: + { ($_m in Counter_interferenceSet_hf(3, ry, ylvl, y)) } + ($_m in Counter_interferenceSet_hf(3, ry, ylvl, y)) ==> + ($_m in IntSet())) + label pre_call0 + assert $_levelVar_3 >= 0 && $_levelVar_3 > ylvl + assert $_levelVar_2 > ylvl + exhale acc(Counter(ry, ylvl, y), write) && + (ylvl >= 0 && + Counter_state(ry, ylvl, y) == Counter_state(ry, ylvl, y)) && + acc(Counter_G(ry), write) && + (Counter_state(ry, ylvl, y) in IntSet()) + + // ------- Stabilising regions TLock,Counter (within call:incr@54.7) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize5](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize5](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize5](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize5](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize5](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (within call:incr@54.7) END + + t := havoc_Int() + inhale acc(Counter(ry, ylvl, y), write) && + (ylvl >= 0 && + Counter_state(ry, ylvl, y) == + old[pre_call0](Counter_state(ry, ylvl, y)) + 1) && + acc(Counter_G(ry), write) && + t == old[pre_call0](Counter_state(ry, ylvl, y)) + + // ------- call:incr END ----------- + + fold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + assert TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old[pre_open_region0](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + $_levelVar_4 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock,Counter (after open-region@53.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock_interferenceContext_fp($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: (forall $$_m: Int :: + { ($$_m in + TLock_interferenceSet_df(4, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) } + none < + old[pre_stabilize6](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + ($$_m in + TLock_interferenceSet_hf(4, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) == + ((none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + ($$_m in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) && + ($$_m == + old[pre_stabilize6](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize6](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + $$_m && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize6](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_interferenceSet_hf(4, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize6](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + TLock_interferenceReference_hf(4, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y) == + old[pre_stabilize6](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$c, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(4, $c, $lvl, $x)) } + none < old[pre_stabilize6](perm(Counter($c, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(4, $c, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && + ($$_m == old[pre_stabilize6](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize6](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == $$_m && + true && + perm(Counter_G($c)) == none)))) + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Counter($c, $lvl, $x))) ==> + (Counter_state($c, $lvl, $x) in + Counter_interferenceSet_hf(4, $c, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Counter($c, $lvl, $x))) ==> + Counter_interferenceReference_hf(4, $c, $lvl, $x) == + old[pre_stabilize6](Counter_state($c, $lvl, $x))) + + // ------- Stabilising regions TLock,Counter (after open-region@53.5) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update0 + assert $_levelVar_4 > alvl + $_levelVar_5 := alvl + exhale acc(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + unfold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + label transitionPre + quasihavoc Counter_interferenceContext_fp(rx, xlvl, x) + quasihavoc Counter_interferenceContext_fp(ry, ylvl, y) + inhale (forall $_m0: Int :: + { ($_m0 in Counter_interferenceSet_df(4, rx, xlvl, x)) } + ($_m0 in + TLock_interferenceSet_hf(4, r, alvl, rx, xlvl, x, ry, ylvl, y)) == + ($_m0 in Counter_interferenceSet_hf(4, rx, xlvl, x))) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(4, rx, xlvl, x) == + old[transitionPre](Counter_state(rx, xlvl, x)) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(4, ry, ylvl, y) == + old[transitionPre](Counter_state(ry, ylvl, y)) + exhale acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), perm(TLock(r, alvl, + rx, xlvl, x, ry, ylvl, y))) + + // ------- call:read BEGIN --------- + + assert (forall $_m: Int :: + { ($_m in Counter_interferenceSet_hf(4, rx, xlvl, x)) } + ($_m in Counter_interferenceSet_hf(4, rx, xlvl, x)) ==> + ($_m in IntSet())) + label pre_call + assert $_levelVar_5 >= 0 && $_levelVar_5 > xlvl + assert $_levelVar_2 > xlvl + exhale acc(Counter(rx, xlvl, x), write) && + (xlvl >= 0 && + Counter_state(rx, xlvl, x) == Counter_state(rx, xlvl, x)) && + acc(Counter_G(rx), write) && + (Counter_state(rx, xlvl, x) in IntSet()) + + // ------- Stabilising regions TLock,Counter (within call:read@64.9) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize7](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize7](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize7](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize7](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize7](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (within call:read@64.9) END + + v := havoc_Int() + inhale acc(Counter(rx, xlvl, x), write) && + (xlvl >= 0 && + Counter_state(rx, xlvl, x) == + old[pre_call](Counter_state(rx, xlvl, x))) && + acc(Counter_G(rx), write) && + v == old[pre_call](Counter_state(rx, xlvl, x)) + + // ------- call:read END ----------- + + fold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + if (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) != + old[pre_region_update0](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) || + v == t) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update0](TLock_state(r, alvl, rx, xlvl, + x, ry, ylvl, y)) + r.$stepTo_int := TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + inhale TLock_atomicity_context_hf(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old[pre_region_update0](TLock_atomicity_context_hf(r, alvl, rx, xlvl, + x, ry, ylvl, y)) + $_levelVar_6 := $_levelVar_4 + + // ------- update-region END ------- + + + // ------- Stabilising regions TLock,Counter (after update-region@63.7) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock_interferenceContext_fp($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: (forall $$_m: Int :: + { ($$_m in + TLock_interferenceSet_df(5, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) } + none < + old[pre_stabilize8](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + ($$_m in + TLock_interferenceSet_hf(5, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) == + ((none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + ($$_m in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) && + ($$_m == + old[pre_stabilize8](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize8](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + $$_m && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize8](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_interferenceSet_hf(5, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize8](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + TLock_interferenceReference_hf(5, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y) == + old[pre_stabilize8](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$c, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(5, $c, $lvl, $x)) } + none < old[pre_stabilize8](perm(Counter($c, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(5, $c, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && + ($$_m == old[pre_stabilize8](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize8](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == $$_m && + true && + perm(Counter_G($c)) == none)))) + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($c, $lvl, $x))) ==> + (Counter_state($c, $lvl, $x) in + Counter_interferenceSet_hf(5, $c, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($c, $lvl, $x))) ==> + Counter_interferenceReference_hf(5, $c, $lvl, $x) == + old[pre_stabilize8](Counter_state($c, $lvl, $x))) + + // ------- Stabilising regions TLock,Counter (after update-region@63.7) END + + + // ------- while BEGIN ------------- + + label preWhile + while (v < t) + invariant acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && true) && + (TLock_TICKET_T(r, t) && acc(TLock_TICKET(r, t), write)) + invariant t >= TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) >= v + invariant (v < t ? acc(r.$diamond, write) : true) + invariant (v == t ? + acc(r.$stepFrom_int, write) && + r.$stepFrom_int == TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) && + (acc(r.$stepTo_int, write) && + r.$stepTo_int == TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) : + true) + { + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, + $xlvl, $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_atomicity_context_fp($r, $alvl, $rx, + $xlvl, $x, $ry, $ylvl, $y), old[preWhile](perm(TLock_atomicity_context_fp($r, + $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))))) + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref :: + { TLock_atomicity_context_df($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y) } + none < + old[preWhile](perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) ==> + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y) == + old[preWhile](TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y))) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($c, + $lvl, $x), old[preWhile](perm(Counter_atomicity_context_fp($c, $lvl, + $x))))) + inhale (forall $c: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($c, $lvl, $x) } + none < + old[preWhile](perm(Counter_atomicity_context_fp($c, $lvl, $x))) ==> + Counter_atomicity_context_hf($c, $lvl, $x) == + old[preWhile](Counter_atomicity_context_hf($c, $lvl, $x))) + assert acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + + // ------- Stabilising regions TLock (infer context for update-region) BEGIN + + label pre_stabilize9 + + // Stabilising single instance of region TLock + quasihavoc TLock_interferenceContext_fp(r, alvl, rx, xlvl, x, ry, ylvl, + y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in + TLock_interferenceSet_df(6, r, alvl, rx, xlvl, x, ry, ylvl, y)) } + ($$_m in + TLock_interferenceSet_hf(6, r, alvl, rx, xlvl, x, ry, ylvl, y)) == + ((none < perm(r.$diamond) && + none < + perm(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y)) ==> + ($$_m in + TLock_atomicity_context_hf(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + ($$_m == + old[pre_stabilize9](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) || + TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old[pre_stabilize9](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y) == $$_m && + TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, ylvl, y) < + TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y) && + (forall $$a: Int :: + { TLock_TICKET_T(r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, + ylvl, y), TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n(r, alvl, rx, xlvl, x, ry, + ylvl, y), TLock_sk_$_action_m(r, alvl, rx, xlvl, x, ry, ylvl, y))) ==> + perm(TLock_TICKET(r, $$a)) == none)))) + quasihavoc TLock(r, alvl, rx, xlvl, x, ry, ylvl, y) + inhale (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) in + TLock_interferenceSet_hf(6, r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // havoc performed by other front resource + + inhale TLock_interferenceReference_hf(6, r, alvl, rx, xlvl, x, ry, ylvl, + y) == + old[pre_stabilize9](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // ------- Stabilising regions TLock (infer context for update-region) END + + + // ------- update-region BEGIN ----- + + exhale acc(r.$diamond, write) + label pre_region_update + assert $_levelVar_6 > alvl + $_levelVar_7 := alvl + exhale acc(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, + y), write) + unfold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + label transitionPre2 + quasihavoc Counter_interferenceContext_fp(rx, xlvl, x) + quasihavoc Counter_interferenceContext_fp(ry, ylvl, y) + inhale (forall $_m0: Int :: + { ($_m0 in Counter_interferenceSet_df(6, rx, xlvl, x)) } + ($_m0 in + TLock_interferenceSet_hf(6, r, alvl, rx, xlvl, x, ry, ylvl, y)) == + ($_m0 in Counter_interferenceSet_hf(6, rx, xlvl, x))) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(6, rx, xlvl, x) == + old[transitionPre2](Counter_state(rx, xlvl, x)) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(6, ry, ylvl, y) == + old[transitionPre2](Counter_state(ry, ylvl, y)) + exhale acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), perm(TLock(r, alvl, + rx, xlvl, x, ry, ylvl, y))) + + // ------- call:read BEGIN --------- + + assert (forall $_m: Int :: + { ($_m in Counter_interferenceSet_hf(6, rx, xlvl, x)) } + ($_m in Counter_interferenceSet_hf(6, rx, xlvl, x)) ==> + ($_m in IntSet())) + label pre_call2 + assert $_levelVar_7 >= 0 && $_levelVar_7 > xlvl + assert $_levelVar_2 > xlvl + exhale acc(Counter(rx, xlvl, x), write) && + (xlvl >= 0 && + Counter_state(rx, xlvl, x) == Counter_state(rx, xlvl, x)) && + acc(Counter_G(rx), write) && + (Counter_state(rx, xlvl, x) in IntSet()) + + // ------- Stabilising regions TLock,Counter (within call:read@64.9) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize10](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize10](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize10](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize10](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize10](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == + Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (within call:read@64.9) END + + v := havoc_Int() + inhale acc(Counter(rx, xlvl, x), write) && + (xlvl >= 0 && + Counter_state(rx, xlvl, x) == + old[pre_call2](Counter_state(rx, xlvl, x))) && + acc(Counter_G(rx), write) && + v == old[pre_call2](Counter_state(rx, xlvl, x)) + + // ------- call:read END ----------- + + fold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + if (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) != + old[pre_region_update](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) || + v == t) { + inhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + r.$stepFrom_int := old[pre_region_update](TLock_state(r, alvl, rx, xlvl, + x, ry, ylvl, y)) + r.$stepTo_int := TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) + } else { + inhale acc(r.$diamond, write) + } + inhale acc(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, + y), write) + inhale TLock_atomicity_context_hf(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old[pre_region_update](TLock_atomicity_context_hf(r, alvl, rx, xlvl, + x, ry, ylvl, y)) + $_levelVar_8 := $_levelVar_6 + + // ------- update-region END ------- + + + // ------- Stabilising regions TLock,Counter (after update-region@63.7) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock_interferenceContext_fp($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: (forall $$_m: Int :: + { ($$_m in + TLock_interferenceSet_df(7, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) } + none < + old[pre_stabilize11](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + ($$_m in + TLock_interferenceSet_hf(7, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) == + ((none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y)) ==> + ($$_m in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) && + ($$_m == + old[pre_stabilize11](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize11](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + $$_m && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize11](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_interferenceSet_hf(7, $r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize11](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + TLock_interferenceReference_hf(7, $r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y) == + old[pre_stabilize11](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$c, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(7, $c, $lvl, $x)) } + none < old[pre_stabilize11](perm(Counter($c, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(7, $c, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($c, $lvl, $x))) && + ($$_m == old[pre_stabilize11](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize11](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == $$_m && + true && + perm(Counter_G($c)) == none)))) + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Counter($c, $lvl, $x))) ==> + (Counter_state($c, $lvl, $x) in + Counter_interferenceSet_hf(7, $c, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Counter($c, $lvl, $x))) ==> + Counter_interferenceReference_hf(7, $c, $lvl, $x) == + old[pre_stabilize11](Counter_state($c, $lvl, $x))) + + // ------- Stabilising regions TLock,Counter (after update-region@63.7) END + + assert $_levelVar_8 == $_levelVar_6 + } + $_levelVar_9 := $_levelVar_6 + + // ------- while END --------------- + + + // ------- Havocking regions TLock (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region TLock + quasihavocall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, $y: Ref :: TLock($r, + $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) + + // ------- Havocking regions TLock (after atomic) END + + assert (r.$stepFrom_int in + TLock_atomicity_context_hf(r, alvl, rx, xlvl, x, ry, ylvl, y)) + assert r.$stepFrom_int == r.$stepTo_int + inhale TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == r.$stepTo_int + inhale old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) == + r.$stepFrom_int + inhale acc(TLock_Z(r), write) + exhale acc(r.$stepFrom_int, write) && acc(r.$stepTo_int, write) + assert $_levelVar_9 == $_levelVar_1 + loopVar0 := false + } + $_levelVar_10 := $_levelVar_1 + exhale acc(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + + // ------- make-atomic END --------- + +} + +method release(r: Ref, alvl: Int, rx: Ref, xlvl: Int, x: Ref, ry: Ref, ylvl: Int, + y: Ref) + requires acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + (TLock_TICKET_T(r, TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + acc(TLock_TICKET(r, TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)), write)) + requires (TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) in + Set(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) + ensures acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + 1) +{ + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + inhale $_levelVar_11 >= 0 && $_levelVar_11 > alvl + assert $_levelVar_11 >= 0 + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(7, r, alvl, rx, xlvl, x, ry, ylvl, y) == + Set(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + inhale TLock_interferenceReference_hf(7, r, alvl, rx, xlvl, x, ry, ylvl, y) == + old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(TLock_atomicity_context_fp(r, alvl, rx, xlvl, x, ry, ylvl, y)) == + none + assert $_levelVar_11 > alvl + $_levelVar_12 := alvl + exhale TLock_TICKET_T(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + acc(TLock_TICKET(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))), write) + unfold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + label transitionPre3 + quasihavoc Counter_interferenceContext_fp(rx, xlvl, x) + quasihavoc Counter_interferenceContext_fp(ry, ylvl, y) + inhale (forall $_m0: Int :: + { ($_m0 in Counter_interferenceSet_df(7, rx, xlvl, x)) } + ($_m0 in + TLock_interferenceSet_hf(7, r, alvl, rx, xlvl, x, ry, ylvl, y)) == + ($_m0 in Counter_interferenceSet_hf(7, rx, xlvl, x))) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(7, rx, xlvl, x) == + old[transitionPre3](Counter_state(rx, xlvl, x)) + + // havoc performed by other front resource + + inhale true ==> + Counter_interferenceReference_hf(7, ry, ylvl, y) == + old[transitionPre3](Counter_state(ry, ylvl, y)) + inhale TLock_TICKET_T(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) && + acc(TLock_TICKET(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))), write) + exhale acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), perm(TLock(r, alvl, rx, + xlvl, x, ry, ylvl, y))) + + // ------- call:wkincr BEGIN ------- + + assert (forall $_m: Int :: + { ($_m in Counter_interferenceSet_hf(7, rx, xlvl, x)) } + ($_m in Counter_interferenceSet_hf(7, rx, xlvl, x)) ==> + ($_m in Set(Counter_interferenceReference_hf(7, rx, xlvl, x)))) + label pre_call3 + assert $_levelVar_12 >= 0 && $_levelVar_12 > xlvl + assert true + exhale acc(Counter(rx, xlvl, x), write) && + (xlvl >= 0 && Counter_state(rx, xlvl, x) == Counter_state(rx, xlvl, x)) && + acc(Counter_G(rx), write) && + (Counter_state(rx, xlvl, x) in Set(Counter_state(rx, xlvl, x))) + + // ------- Stabilising regions TLock,Counter (within call:wkincr@80.5) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize12](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize12](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize12](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize12](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize12](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize12](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (within call:wkincr@80.5) END + + inhale acc(Counter(rx, xlvl, x), write) && + (xlvl >= 0 && + Counter_state(rx, xlvl, x) == + old[pre_call3](Counter_state(rx, xlvl, x)) + 1) && + acc(Counter_G(rx), write) + + // ------- call:wkincr END --------- + + inhale perm(TLock_TICKET(r, old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, + y)))) <= + write + fold acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) + assert old[pre_use_atomic0](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) || + old[pre_use_atomic0](TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) < + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) && + (forall $a: Int ::($a in + comprehension_13_280(old[pre_use_atomic0](TLock_state(r, alvl, rx, xlvl, + x, ry, ylvl, y)), TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) ==> + $a == old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y))) + $_levelVar_13 := $_levelVar_11 + + // ------- use-atomic END ---------- + +} + +method read(c: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) + requires (Counter_state(c, lvl, x) in IntSet()) + ensures acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x))) && + acc(Counter_G(c), write) + ensures ret == old(Counter_state(c, lvl, x)) +{ + var $_levelVar_14: Int + inhale $_levelVar_14 >= 0 && $_levelVar_14 > lvl + assert $_levelVar_14 >= 0 + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + inhale false +} + +method incr(c: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) + requires (Counter_state(c, lvl, x) in IntSet()) + ensures acc(Counter(c, lvl, x), write) && + (lvl >= 0 && + Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x)) + 1) && + acc(Counter_G(c), write) && + ret == old(Counter_state(c, lvl, x)) +{ + var $_levelVar_15: Int + inhale $_levelVar_15 >= 0 && $_levelVar_15 > lvl + assert $_levelVar_15 >= 0 + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + inhale false +} + +method wkincr(c: Ref, lvl: Int, x: Ref) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) + requires (Counter_state(c, lvl, x) in Set(Counter_state(c, lvl, x))) + ensures acc(Counter(c, lvl, x), write) && + (lvl >= 0 && + Counter_state(c, lvl, x) == old(Counter_state(c, lvl, x)) + 1) && + acc(Counter_G(c), write) +{ + var $_levelVar_16: Int + inhale $_levelVar_16 >= 0 && $_levelVar_16 > lvl + assert $_levelVar_16 >= 0 + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == + Set(Counter_state(c, lvl, x)) + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + inhale false +} + +method $_TLock_interpretation_stability_check(r: Ref, alvl: Int, rx: Ref, xlvl: Int, + x: Ref, ry: Ref, ylvl: Int, y: Ref) +{ + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale acc(Counter(rx, xlvl, x), write) && (xlvl >= 0 && true) && + acc(Counter_G(rx), write) && + xlvl < alvl && + (acc(Counter(ry, ylvl, y), write) && (ylvl >= 0 && true)) && + acc(Counter_G(ry), write) && + ylvl < alvl && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) } + ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) } + ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) ==> + acc(TLock_TICKET(r, $a), write))) && + Counter_state(ry, ylvl, y) >= Counter_state(rx, xlvl, x) + + // ------- Stabilising regions TLock,Counter (check stability of region interpretation) BEGIN + + label pre_stabilize13 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize13](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize13](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize13](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize13](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize13](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of region interpretation) END + + assert acc(Counter(rx, xlvl, x), write) && (xlvl >= 0 && true) && + acc(Counter_G(rx), write) && + xlvl < alvl && + (acc(Counter(ry, ylvl, y), write) && (ylvl >= 0 && true)) && + acc(Counter_G(ry), write) && + ylvl < alvl && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) } + ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) } + ($a in comprehension_9_150(Counter_state(ry, ylvl, y))) ==> + acc(TLock_TICKET(r, $a), write))) && + Counter_state(ry, ylvl, y) >= Counter_state(rx, xlvl, x) +} + +method $_TLock_action_transitivity_check() +{ + var TICKET: Set[Int] + var Z: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + (comprehension_13_280($_action_n_0_x, $_action_m_0_x) subset TICKET) + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + (comprehension_13_280($_action_n_0_y, $_action_m_0_y) subset TICKET) + assert aState == cState || + aState == aState && cState == cState && aState < cState && + (comprehension_13_280(aState, cState) subset TICKET) +} + +method $_Counter_interpretation_stability_check(c: Ref, lvl: Int, x: Ref) +{ + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale acc(x.$cell_$f, write) && true + + // ------- Stabilising regions TLock,Counter (check stability of region interpretation) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize14](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize14](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize14](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize14](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize14](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of region interpretation) END + + assert acc(x.$cell_$f, write) && true +} + +method $_Counter_action_transitivity_check() +{ + var G: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && true && G + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && true && G + assert aState == cState || + aState == aState && cState == cState && true && G +} + +method $_makeLock_condition_stability_precondition_check(alvl: Int, xlvl: Int, + ylvl: Int, x: Ref, y: Ref, r: Ref, rx: Ref, ry: Ref) + requires xlvl >= 0 && ylvl >= 0 && alvl > xlvl && alvl > ylvl +{ + var $_levelVar_17: Int + inhale $_levelVar_17 >= 0 + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize15](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize15](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize15](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize15](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize15](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize15](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) END + + assert xlvl >= 0 && ylvl >= 0 && alvl > xlvl && alvl > ylvl +} + +method $_acquire_condition_stability_precondition_check(r: Ref, alvl: Int, rx: Ref, + xlvl: Int, x: Ref, ry: Ref, ylvl: Int, y: Ref) + requires acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + acc(TLock_Z(r), write) +{ + var $_levelVar_18: Int + var t: Int + var v: Int + inhale $_levelVar_18 >= 0 && $_levelVar_18 > alvl + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(7, r, alvl, rx, xlvl, x, ry, ylvl, y) == + IntSet() + inhale TLock_interferenceReference_hf(7, r, alvl, rx, xlvl, x, ry, ylvl, y) == + old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize16](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize16](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize16](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize16](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize16](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize16](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) END + + assert acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + acc(TLock_Z(r), write) +} + +method $_release_condition_stability_precondition_check(r: Ref, alvl: Int, rx: Ref, + xlvl: Int, x: Ref, ry: Ref, ylvl: Int, y: Ref) + requires acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + (TLock_TICKET_T(r, TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + acc(TLock_TICKET(r, TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)), write)) +{ + var $_levelVar_19: Int + inhale $_levelVar_19 >= 0 && $_levelVar_19 > alvl + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(7, r, alvl, rx, xlvl, x, ry, ylvl, y) == + Set(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + inhale TLock_interferenceReference_hf(7, r, alvl, rx, xlvl, x, ry, ylvl, y) == + old(TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize17](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize17](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize17](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize17](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize17](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) END + + assert acc(TLock(r, alvl, rx, xlvl, x, ry, ylvl, y), write) && + (alvl >= 0 && + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y) == + TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + (TLock_TICKET_T(r, TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)) && + acc(TLock_TICKET(r, TLock_state(r, alvl, rx, xlvl, x, ry, ylvl, y)), write)) +} + +method $_read_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) +{ + var $_levelVar_20: Int + inhale $_levelVar_20 >= 0 && $_levelVar_20 > lvl + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) BEGIN + + label pre_stabilize18 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize18](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize18](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize18](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize18](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize18](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize18](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) END + + assert acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) +} + +method $_incr_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) +{ + var $_levelVar_21: Int + inhale $_levelVar_21 >= 0 && $_levelVar_21 > lvl + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == IntSet() + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize19](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize19](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize19](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize19](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize19](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize19](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) END + + assert acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) +} + +method $_wkincr_condition_stability_precondition_check(c: Ref, lvl: Int, x: Ref) + requires acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) +{ + var $_levelVar_22: Int + inhale $_levelVar_22 >= 0 && $_levelVar_22 > lvl + inhale acc(TLock_sk_fp(), write) && acc(Counter_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, + $ylvl: Int, $y: Ref ::acc(TLock_interferenceContext_fp($r, $alvl, $rx, $xlvl, + $x, $ry, $ylvl, $y), write)) + inhale (forall $c: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($c, + $lvl, $x), write)) + inhale Counter_interferenceSet_hf(7, c, lvl, x) == + Set(Counter_state(c, lvl, x)) + inhale Counter_interferenceReference_hf(7, c, lvl, x) == + old(Counter_state(c, lvl, x)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) BEGIN + + label pre_stabilize20 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$alvl: Int, $$rx: Ref, $$xlvl: Int, $$x: Ref, $$ry: Ref, $$ylvl: Int, $$y: Ref :: TLock($$r, + $$alvl, $$rx, $$xlvl, $$x, $$ry, $$ylvl, $$y) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $rx: Ref, $xlvl: Int, $x: Ref, $ry: Ref, $ylvl: Int, + $y: Ref [TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y)] :: none < + old[pre_stabilize20](perm(TLock($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y))) ==> + (none < perm($r.$diamond) && + none < + perm(TLock_atomicity_context_fp($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) ==> + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) in + TLock_atomicity_context_hf($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y))) && + (TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize20](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) || + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + old[pre_stabilize20](TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, + $y)) && + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) == + TLock_state($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) < + TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, $ylvl, $y) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) } + ($$a in + comprehension_13_280(TLock_sk_$_action_n($r, $alvl, $rx, $xlvl, $x, + $ry, $ylvl, $y), TLock_sk_$_action_m($r, $alvl, $rx, $xlvl, $x, $ry, + $ylvl, $y))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // Stabilising all instances of region Counter + quasihavocall $$c: Ref, $$lvl: Int, $$x: Ref :: Counter($$c, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $c: Ref, $lvl: Int, $x: Ref [Counter($c, $lvl, $x)] :: none < + old[pre_stabilize20](perm(Counter($c, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Counter_atomicity_context_fp($c, $lvl, $x)) ==> + (Counter_state($c, $lvl, $x) in + Counter_atomicity_context_hf($c, $lvl, $x))) && + (Counter_state($c, $lvl, $x) == + old[pre_stabilize20](Counter_state($c, $lvl, $x)) || + Counter_sk_$_action_n($c, $lvl, $x) == + old[pre_stabilize20](Counter_state($c, $lvl, $x)) && + Counter_sk_$_action_m($c, $lvl, $x) == Counter_state($c, $lvl, $x) && + true && + perm(Counter_G($c)) == none)) + + // ------- Stabilising regions TLock,Counter (check stability of method condition) END + + assert acc(Counter(c, lvl, x), write) && + (lvl >= 0 && Counter_state(c, lvl, x) == Counter_state(c, lvl, x)) && + acc(Counter_G(c), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLockClient-I.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLockClient-I.vl.vpr new file mode 100644 index 00000000..105ad095 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/strong_spec/correct/TicketLockClient-I.vl.vpr @@ -0,0 +1,1800 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Client_state_T(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Bool + + function TLock_TICKET_T($r: Ref, n: Int): Bool + + function TLock_state_T(r: Ref, lvl: Int, x: Ref): Bool + + axiom TLock_TICKET_T_bottom { + (forall $r: Ref, n: Int :: + { TLock_TICKET_T($r, n) } + TLock_TICKET_T($r, n)) + } +} + +domain interferenceReference_Domain { + + function Client_interferenceReference_df($p0: Int, c: Ref, l: Int, z: Ref, + r: Ref, lvl: Int, x: Ref): Bool + + function TLock_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Client_interferenceSet_df($p0: Int, c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref): Set[Int] + + function TLock_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function Client_atomicity_context_df(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref): Bool + + function TLock_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $dualcell_$left: Int + +field $dualcell_$right: Int + +field $dualcell_$_val: Int + +field $dualcell_$_own: Bool + +field $memcell_$next: Int + +field $memcell_$owner: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function comprehension_89_220(): Set[Int] + ensures (forall $k: Int ::($k in result) == true) + + +function comprehension_74_150($s_0: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == $k >= $s_0) + + +function comprehension_78_280($s_0: Int, $s_1: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == ($s_0 <= $k && $k < $s_1)) + + +function Client_atomicity_context_hf(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref): Set[Int] + requires acc(Client_atomicity_context_fp(c, l, z, r, lvl, x), write) + ensures [Client_atomicity_context_df(c, l, z, r, lvl, x), true] + + +function Client_interferenceSet_hf($p0: Int, c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref): Set[Int] + requires acc(Client_interferenceContext_fp(c, l, z, r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Client_interferenceSet_df($p0, c, l, z, r, lvl, x))), + true] + + +function Client_interferenceReference_hf($p0: Int, c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref): Int + requires acc(Client_interferenceContext_fp(c, l, z, r, lvl, x), write) + ensures [Client_interferenceReference_df($p0, c, l, z, r, lvl, x), true] + + +function Client_sk_$_action_n(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Int + requires acc(Client_sk_fp(), write) + + +function Client_sk_$_action_m(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Int + requires acc(Client_sk_fp(), write) + + +function Client_state(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Int + requires acc(Client(c, l, z, r, lvl, x), write) + ensures [Client_state_T(c, l, z, r, lvl, x), true] +{ + (unfolding acc(Client(c, l, z, r, lvl, x), write) in z.$dualcell_$_val) +} + +function TLock_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(TLock_atomicity_context_fp(r, lvl, x), write) + ensures [TLock_atomicity_context_df(r, lvl, x), true] + + +function TLock_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(TLock_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in TLock_interferenceSet_df($p0, r, lvl, x))), + true] + + +function TLock_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_interferenceContext_fp(r, lvl, x), write) + ensures [TLock_interferenceReference_df($p0, r, lvl, x), true] + + +function TLock_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_out0(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock(r, lvl, x), write) +{ + (unfolding acc(TLock(r, lvl, x), write) in x.$memcell_$next) +} + +function TLock_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock(r, lvl, x), write) + ensures [TLock_state_T(r, lvl, x), true] +{ + (unfolding acc(TLock(r, lvl, x), write) in x.$memcell_$owner) +} + +predicate Client_Z($r: Ref) + +predicate Client_atomicity_context_fp(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref) + +predicate Client_interferenceContext_fp(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref) + +predicate Client_sk_fp() + +predicate Client(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref) { + acc(z.$dualcell_$_val, write) && true && + (acc(z.$dualcell_$_own, write) && true) && + (acc(TLock(r, lvl, x), write) && (lvl >= 0 && true)) && + lvl < l && + (z.$dualcell_$_own ? + TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write) : + acc(z.$dualcell_$left, write) && z.$dualcell_$left == z.$dualcell_$_val && + (acc(z.$dualcell_$right, write) && + z.$dualcell_$right == z.$dualcell_$_val)) +} + +predicate TLock_TICKET($r: Ref, n: Int) + +predicate TLock_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate TLock_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate TLock_sk_fp() + +predicate TLock(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_74_150(x.$memcell_$next)) } + ($a in comprehension_74_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_74_150(x.$memcell_$next)) } + ($a in comprehension_74_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_Client() + + +method ___silicon_hack407_havoc_all_Client_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_TLock() + + +method ___silicon_hack407_havoc_all_TLock_interferenceContext_fp() + + +method foo(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref, w: Int) + requires acc(Client(c, l, z, r, lvl, x), write) && (l >= 0 && true) && + acc(Client_Z(c), write) + ensures acc(Client(c, l, z, r, lvl, x), write) && + (l >= 0 && Client_state(c, l, z, r, lvl, x) == w) && + acc(Client_Z(c), write) +{ + var ni: Int + var s1: Bool + var a: Int + var m: Int + var s2: Bool + var $_levelVar_0: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + inhale $_levelVar_0 >= 0 && $_levelVar_0 > l + assert $_levelVar_0 >= 0 + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- make-atomic BEGIN ------- + + var loopVar0: Bool + exhale acc(Client_Z(c), write) + exhale acc(Client(c, l, z, r, lvl, x), write) + + // ------- Stabilising regions Client,TLock (stabilizing frame before make-atomic) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize0](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize0](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize0](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (stabilizing frame before make-atomic) END + + $_levelVar_1 := l + assert perm(Client_atomicity_context_fp(c, l, z, r, lvl, x)) == none + inhale acc(Client_atomicity_context_fp(c, l, z, r, lvl, x), write) + inhale Client_atomicity_context_hf(c, l, z, r, lvl, x) == + Client_interferenceSet_hf(0, c, l, z, r, lvl, x) + label preWhile0 + loopVar0 := true + while (loopVar0) + invariant !loopVar0 ==> + acc(Client(c, l, z, r, lvl, x), write) && + (l >= 0 && Client_state(c, l, z, r, lvl, x) == w) && + acc(Client_Z(c), write) + { + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_atomicity_context_fp($c, + $l, $z, $r, $lvl, $x), old[preWhile0](perm(Client_atomicity_context_fp($c, + $l, $z, $r, $lvl, $x))))) + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref :: + { Client_atomicity_context_df($c, $l, $z, $r, $lvl, $x) } + none < + old[preWhile0](perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, + $x))) ==> + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x) == + old[preWhile0](Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(TLock_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { TLock_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(TLock_atomicity_context_fp($r, $lvl, $x))) ==> + TLock_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](TLock_atomicity_context_hf($r, $lvl, $x))) + inhale acc(Client(c, l, z, r, lvl, x), write) + inhale acc(c.$diamond, write) + + // ------- Stabilising regions Client (before atomic) BEGIN + + label pre_stabilize + + // Stabilising single instance of region Client + quasihavoc Client(c, l, z, r, lvl, x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (none < perm(c.$diamond) && + none < perm(Client_atomicity_context_fp(c, l, z, r, lvl, x)) ==> + (Client_state(c, l, z, r, lvl, x) in + Client_atomicity_context_hf(c, l, z, r, lvl, x))) && + (Client_state(c, l, z, r, lvl, x) == + old[pre_stabilize](Client_state(c, l, z, r, lvl, x)) || + Client_sk_$_action_n(c, l, z, r, lvl, x) == + old[pre_stabilize](Client_state(c, l, z, r, lvl, x)) && + Client_sk_$_action_m(c, l, z, r, lvl, x) == + Client_state(c, l, z, r, lvl, x) && + true && + true) + + // ------- Stabilising regions Client (before atomic) END + + assert acc(Client(c, l, z, r, lvl, x), write) + + // ------- Stabilising regions Client (infer context for open-region) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region Client + quasihavoc Client_interferenceContext_fp(c, l, z, r, lvl, x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Client_interferenceSet_df(1, c, l, z, r, lvl, x)) } + ($$_m in Client_interferenceSet_hf(1, c, l, z, r, lvl, x)) == + ((none < perm(c.$diamond) && + none < perm(Client_atomicity_context_fp(c, l, z, r, lvl, x)) ==> + ($$_m in Client_atomicity_context_hf(c, l, z, r, lvl, x))) && + ($$_m == old[pre_stabilize2](Client_state(c, l, z, r, lvl, x)) || + Client_sk_$_action_n(c, l, z, r, lvl, x) == + old[pre_stabilize2](Client_state(c, l, z, r, lvl, x)) && + Client_sk_$_action_m(c, l, z, r, lvl, x) == $$_m && + true && + true))) + quasihavoc Client(c, l, z, r, lvl, x) + inhale (Client_state(c, l, z, r, lvl, x) in + Client_interferenceSet_hf(1, c, l, z, r, lvl, x)) + + // havoc performed by other front resource + + inhale Client_interferenceReference_hf(1, c, l, z, r, lvl, x) == + old[pre_stabilize2](Client_state(c, l, z, r, lvl, x)) + + // ------- Stabilising regions Client (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_0 > l + $_levelVar_2 := l + unfold acc(Client(c, l, z, r, lvl, x), write) + label transitionPre0 + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + TLock_interferenceReference_hf(1, r, lvl, x) == + old[transitionPre0](TLock_state(r, lvl, x)) + + // ------- assert BEGIN ------------ + + assert acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) + ni := TLock_state(r, lvl, x) + + // ------- assert END -------------- + + + // ------- call:acquire BEGIN ------ + + assert (forall $_m: Int :: + { ($_m in TLock_interferenceSet_hf(1, r, lvl, x)) } + ($_m in TLock_interferenceSet_hf(1, r, lvl, x)) ==> + ($_m in comprehension_89_220())) + label pre_call0 + assert $_levelVar_2 >= 0 && $_levelVar_2 > lvl + assert $_levelVar_1 > lvl + exhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_state(r, lvl, x) in comprehension_89_220()) + + // ------- Stabilising regions Client,TLock (within call:acquire@31.7) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize3](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize3](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize3](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (within call:acquire@31.7) END + + inhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && + TLock_state(r, lvl, x) == old[pre_call0](TLock_state(r, lvl, x))) && + (TLock_TICKET_T(r, old[pre_call0](TLock_state(r, lvl, x))) && + acc(TLock_TICKET(r, old[pre_call0](TLock_state(r, lvl, x))), write)) + + // ------- call:acquire END -------- + + inhale perm(TLock_TICKET(r, ni)) <= write + + // ------- havoc BEGIN ------------- + + exhale acc(z.$dualcell_$_own, write) + inhale acc(z.$dualcell_$_own, write) + + // ------- havoc END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$dualcell_$_own, write) && true + s1 := z.$dualcell_$_own + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale s1 == true + + // ------- assume END -------------- + + fold acc(Client(c, l, z, r, lvl, x), write) + assert Client_state(c, l, z, r, lvl, x) == + old[pre_open_region0](Client_state(c, l, z, r, lvl, x)) + $_levelVar_3 := $_levelVar_0 + + // ------- open-region END --------- + + + // ------- Stabilising regions Client,TLock (after open-region@28.5) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Client_interferenceSet_df(2, $c, $l, $z, $r, $lvl, $x)) } + none < + old[pre_stabilize4](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(2, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < + perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize4](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize4](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(2, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(2, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize4](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize4](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after open-region@28.5) END + + + // ------- heap-write BEGIN -------- + + z.$dualcell_$left := w + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Client,TLock (after heap-write@42.5) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Client_interferenceSet_df(3, $c, $l, $z, $r, $lvl, $x)) } + none < + old[pre_stabilize5](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(3, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < + perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize5](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize5](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(3, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(3, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize5](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize5](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after heap-write@42.5) END + + + // ------- heap-write BEGIN -------- + + z.$dualcell_$right := w + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Client,TLock (after heap-write@43.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Client_interferenceSet_df(4, $c, $l, $z, $r, $lvl, $x)) } + none < + old[pre_stabilize6](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(4, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < + perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize6](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize6](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(4, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(4, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize6](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize6](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after heap-write@43.5) END + + + // ------- update-region BEGIN ----- + + exhale acc(c.$diamond, write) + label pre_region_update0 + assert $_levelVar_3 > l + $_levelVar_4 := l + exhale acc(Client_atomicity_context_fp(c, l, z, r, lvl, x), write) + unfold acc(Client(c, l, z, r, lvl, x), write) + label transitionPre + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + TLock_interferenceReference_hf(4, r, lvl, x) == + old[transitionPre](TLock_state(r, lvl, x)) + exhale acc(Client(c, l, z, r, lvl, x), perm(Client(c, l, z, r, lvl, x))) + + // ------- havoc BEGIN ------------- + + exhale acc(z.$dualcell_$_val, write) + inhale acc(z.$dualcell_$_val, write) + + // ------- havoc END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$dualcell_$_val, write) && true + a := z.$dualcell_$_val + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale a == w + + // ------- assume END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) + m := TLock_state(r, lvl, x) + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + exhale acc(z.$dualcell_$_own, write) + inhale acc(z.$dualcell_$_own, write) + + // ------- havoc END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$dualcell_$_own, write) && true + s2 := z.$dualcell_$_own + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale s2 == false + + // ------- assume END -------------- + + + // ------- call:release BEGIN ------ + + assert (forall $_m: Int :: + { ($_m in TLock_interferenceSet_hf(4, r, lvl, x)) } + ($_m in TLock_interferenceSet_hf(4, r, lvl, x)) ==> + ($_m in comprehension_89_220())) + label pre_call + assert $_levelVar_4 >= 0 && $_levelVar_4 > lvl + assert $_levelVar_1 > lvl + exhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) && + (TLock_state(r, lvl, x) in comprehension_89_220()) + + // ------- Stabilising regions Client,TLock (within call:release@56.7) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize7](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize7](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize7](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (within call:release@56.7) END + + inhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && + TLock_state(r, lvl, x) == old[pre_call](TLock_state(r, lvl, x)) + 1) + + // ------- call:release END -------- + + fold acc(Client(c, l, z, r, lvl, x), write) + if (Client_state(c, l, z, r, lvl, x) != + old[pre_region_update0](Client_state(c, l, z, r, lvl, x)) || + true) { + inhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + c.$stepFrom_int := old[pre_region_update0](Client_state(c, l, z, r, lvl, + x)) + c.$stepTo_int := Client_state(c, l, z, r, lvl, x) + } else { + inhale acc(c.$diamond, write) + } + inhale acc(Client_atomicity_context_fp(c, l, z, r, lvl, x), write) + inhale Client_atomicity_context_hf(c, l, z, r, lvl, x) == + old[pre_region_update0](Client_atomicity_context_hf(c, l, z, r, lvl, x)) + $_levelVar_5 := $_levelVar_3 + + // ------- update-region END ------- + + + // ------- Stabilising regions Client,TLock (after update-region@45.5) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Client_interferenceSet_df(5, $c, $l, $z, $r, $lvl, $x)) } + none < + old[pre_stabilize8](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(5, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < + perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize8](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize8](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(5, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(5, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize8](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize8](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after update-region@45.5) END + + + // ------- Havocking regions Client (after atomic) BEGIN + + label pre_havoc0 + + // Havocking single instance of region Client + quasihavocall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref :: Client($c, + $l, $z, $r, $lvl, $x) + + // ------- Havocking regions Client (after atomic) END + + assert (c.$stepFrom_int in + Client_atomicity_context_hf(c, l, z, r, lvl, x)) + assert true + inhale Client_state(c, l, z, r, lvl, x) == c.$stepTo_int + inhale old(Client_state(c, l, z, r, lvl, x)) == c.$stepFrom_int + inhale acc(Client_Z(c), write) + exhale acc(c.$stepFrom_int, write) && acc(c.$stepTo_int, write) + assert $_levelVar_5 == $_levelVar_0 + loopVar0 := false + } + $_levelVar_6 := $_levelVar_0 + exhale acc(Client_atomicity_context_fp(c, l, z, r, lvl, x), write) + + // ------- make-atomic END --------- + +} + +method acquire(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) + requires (TLock_state(r, lvl, x) in comprehension_89_220()) + ensures acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == old(TLock_state(r, lvl, x))) && + (TLock_TICKET_T(r, old(TLock_state(r, lvl, x))) && + acc(TLock_TICKET(r, old(TLock_state(r, lvl, x))), write)) +{ + var $_levelVar_7: Int + inhale $_levelVar_7 >= 0 && $_levelVar_7 > lvl + assert $_levelVar_7 >= 0 + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_89_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + inhale false +} + +method release(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) + requires (TLock_state(r, lvl, x) in comprehension_89_220()) + ensures acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == old(TLock_state(r, lvl, x)) + 1) +{ + var $_levelVar_8: Int + inhale $_levelVar_8 >= 0 && $_levelVar_8 > lvl + assert $_levelVar_8 >= 0 + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_89_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + inhale false +} + +method $_Client_interpretation_stability_check(c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref) +{ + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(z.$dualcell_$_val, write) && true && + (acc(z.$dualcell_$_own, write) && true) && + (acc(TLock(r, lvl, x), write) && (lvl >= 0 && true)) && + lvl < l && + (z.$dualcell_$_own ? + TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write) : + acc(z.$dualcell_$left, write) && + z.$dualcell_$left == z.$dualcell_$_val && + (acc(z.$dualcell_$right, write) && + z.$dualcell_$right == z.$dualcell_$_val)) + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize9](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize9](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize9](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) END + + assert acc(z.$dualcell_$_val, write) && true && + (acc(z.$dualcell_$_own, write) && true) && + (acc(TLock(r, lvl, x), write) && (lvl >= 0 && true)) && + lvl < l && + (z.$dualcell_$_own ? + TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write) : + acc(z.$dualcell_$left, write) && + z.$dualcell_$left == z.$dualcell_$_val && + (acc(z.$dualcell_$right, write) && + z.$dualcell_$right == z.$dualcell_$_val)) +} + +method $_Client_action_transitivity_check() +{ + var Z: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && true && Z + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && true && Z + assert aState == cState || + aState == aState && cState == cState && true && Z +} + +method $_TLock_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_74_150(x.$memcell_$next)) } + ($a in comprehension_74_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_74_150(x.$memcell_$next)) } + ($a in comprehension_74_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize10](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize10](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize10](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize10](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) END + + assert acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_74_150(x.$memcell_$next)) } + ($a in comprehension_74_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_74_150(x.$memcell_$next)) } + ($a in comprehension_74_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner +} + +method $_TLock_action_transitivity_check() +{ + var TICKET: Set[Int] + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + (comprehension_78_280($_action_n_0_x, $_action_m_0_x) subset TICKET) + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + (comprehension_78_280($_action_n_0_y, $_action_m_0_y) subset TICKET) + assert aState == cState || + aState == aState && cState == cState && aState < cState && + (comprehension_78_280(aState, cState) subset TICKET) +} + +method $_foo_condition_stability_precondition_check(c: Ref, l: Int, z: Ref, + r: Ref, lvl: Int, x: Ref, w: Int) + requires acc(Client(c, l, z, r, lvl, x), write) && (l >= 0 && true) && + acc(Client_Z(c), write) +{ + var $_levelVar_9: Int + inhale $_levelVar_9 >= 0 && $_levelVar_9 > l + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Client,TLock (check stability of method condition) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize11](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize11](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize11](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of method condition) END + + assert acc(Client(c, l, z, r, lvl, x), write) && (l >= 0 && true) && + acc(Client_Z(c), write) +} + +method $_acquire_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) +{ + var $_levelVar_10: Int + inhale $_levelVar_10 >= 0 && $_levelVar_10 > lvl + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_89_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + + // ------- Stabilising regions Client,TLock (check stability of method condition) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize12](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize12](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize12](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of method condition) END + + assert acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) +} + +method $_release_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) +{ + var $_levelVar_11: Int + inhale $_levelVar_11 >= 0 && $_levelVar_11 > lvl + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_89_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + + // ------- Stabilising regions Client,TLock (check stability of method condition) BEGIN + + label pre_stabilize13 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize13](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize13](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize13](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize13](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_78_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of method condition) END + + assert acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BagStack.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BagStack.vl.vpr new file mode 100644 index 00000000..8ae43fa4 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BagStack.vl.vpr @@ -0,0 +1,3406 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Bag_state_T(r: Ref, lvl: Int, z: Ref): Bool + + function BagList_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function Bag_interferenceReference_df($p0: Int, r: Ref, lvl: Int, z: Ref): Bool + + function BagList_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Bag_interferenceSet_df($p0: Int, r: Ref, lvl: Int, z: Ref): Set[Seq[Int]] + + function BagList_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Seq[Int]] +} + +domain atomicity_context_Domain { + + function Bag_atomicity_context_df(r: Ref, lvl: Int, z: Ref): Bool + + function BagList_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_seq_int_: Seq[Int] + +field $stepTo_seq_int_: Seq[Int] + +field $entry_$next: Ref + +field $entry_$_nextId: Ref + +field $entry_$_nextLvl: Int + +field $entry_$_nextState: Seq[Int] + +field $link_$val: Int + +field $link_$next: Ref + +field $link_$_nextId: Ref + +field $link_$_nextLvl: Int + +field $link_$_nextState: Seq[Int] + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function Bag_atomicity_context_hf(r: Ref, lvl: Int, z: Ref): Set[Seq[Int]] + requires acc(Bag_atomicity_context_fp(r, lvl, z), write) + ensures [Bag_atomicity_context_df(r, lvl, z), true] + + +function Bag_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, z: Ref): Set[Seq[Int]] + requires acc(Bag_interferenceContext_fp(r, lvl, z), write) + ensures [(forall $_m: Seq[Int] :: + { ($_m in result) } + ($_m in result) ==> ($_m in Bag_interferenceSet_df($p0, r, lvl, z))), + true] + + +function Bag_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag_interferenceContext_fp(r, lvl, z), write) + ensures [Bag_interferenceReference_df($p0, r, lvl, z), true] + + +function Bag_sk_$_action_p(r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag_sk_fp(), write) + + +function Bag_sk_$_action_q(r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag_sk_fp(), write) + + +function Bag_state(r: Ref, lvl: Int, z: Ref): Seq[Int] + requires acc(Bag(r, lvl, z), write) + ensures [Bag_state_T(r, lvl, z), true] +{ + (unfolding acc(Bag(r, lvl, z), write) in z.$entry_$_nextState) +} + +function BagList_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Seq[Int]] + requires acc(BagList_atomicity_context_fp(r, lvl, x), write) + ensures [BagList_atomicity_context_df(r, lvl, x), true] + + +function BagList_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Seq[Int]] + requires acc(BagList_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Seq[Int] :: + { ($_m in result) } + ($_m in result) ==> + ($_m in BagList_interferenceSet_df($p0, r, lvl, x))), + true] + + +function BagList_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList_interferenceContext_fp(r, lvl, x), write) + ensures [BagList_interferenceReference_df($p0, r, lvl, x), true] + + +function BagList_sk_$_action_p(r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList_sk_fp(), write) + + +function BagList_sk_$_action_q(r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList_sk_fp(), write) + + +function BagList_state(r: Ref, lvl: Int, x: Ref): Seq[Int] + requires acc(BagList(r, lvl, x), write) + ensures [BagList_state_T(r, lvl, x), true] +{ + (unfolding acc(BagList(r, lvl, x), write) in + (x == null ? Seq[Int]() : Seq(x.$link_$val) ++ x.$link_$_nextState)) +} + +predicate Bag_Z($r: Ref) + +predicate Bag_atomicity_context_fp(r: Ref, lvl: Int, z: Ref) + +predicate Bag_interferenceContext_fp(r: Ref, lvl: Int, z: Ref) + +predicate Bag_sk_fp() + +predicate Bag(r: Ref, lvl: Int, z: Ref) { + acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) && + (acc(BagList(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next), write) && + (z.$entry_$_nextLvl >= 0 && + BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next) == + z.$entry_$_nextState)) && + acc(BagList_G(z.$entry_$_nextId), write) && + z.$entry_$_nextLvl < lvl +} + +predicate BagList_G($r: Ref) + +predicate BagList_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate BagList_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate BagList_sk_fp() + +predicate BagList(r: Ref, lvl: Int, x: Ref) { + acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true))) && + (!(x == null) ? + acc(BagList(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next), write) && + (x.$link_$_nextLvl >= 0 && + BagList_state(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next) == + x.$link_$_nextState) && + acc(BagList_G(x.$link_$_nextId), write) && + x.$link_$_nextLvl < lvl : + true) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Seq_Int_() returns ($r: Seq[Int]) + + +method ___silicon_hack407_havoc_all_Bag() + + +method ___silicon_hack407_havoc_all_Bag_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_BagList() + + +method ___silicon_hack407_havoc_all_BagList_interferenceContext_fp() + + +method push(r: Ref, lvl: Int, z: Ref, n: Int) + requires acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) + ensures acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) +{ + var x: Ref + var y: Ref + var b: Bool + var c: Ref + var l: Int + var u: Ref + var ur: Ref + var ul: Int + var u_state: Seq[Int] + var u$: Ref + var ur$: Ref + var ul$: Int + var u_state$: Seq[Int] + var $_levelVar_0: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + inhale $_levelVar_0 >= 0 && $_levelVar_0 > lvl + assert $_levelVar_0 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$link_$val := n + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Bag,BagList (after heap-write@69.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(1, $r, $lvl, $z)) } + none < old[pre_stabilize0](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(1, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize0](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize0](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize0](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in Bag_interferenceSet_hf(1, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize0](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(1, $r, $lvl, $z) == + old[pre_stabilize0](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize0](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-write@69.3) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_0 > lvl + $_levelVar_1 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre0 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(1, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre0](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + y := z.$entry_$next + + // ------- heap-read END ----------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region0](Bag_state(r, lvl, z)) + $_levelVar_2 := $_levelVar_0 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@75.5) BEGIN + + label pre_stabilize + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(2, $r, $lvl, $z)) } + none < old[pre_stabilize](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(2, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in Bag_interferenceSet_hf(2, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(2, $r, $lvl, $z) == + old[pre_stabilize](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@75.5) END + + + // ------- heap-write BEGIN -------- + + x.$link_$next := y + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Bag,BagList (after heap-write@79.5) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(3, $r, $lvl, $z)) } + none < old[pre_stabilize2](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(3, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize2](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize2](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize2](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in Bag_interferenceSet_hf(3, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize2](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(3, $r, $lvl, $z) == + old[pre_stabilize2](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize2](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize2](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize2](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-write@79.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Bag_atomicity_context_fp(r, lvl, z)) == none + assert $_levelVar_2 > lvl + $_levelVar_3 := lvl + exhale acc(Bag_Z(r), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(3, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + inhale acc(Bag_Z(r), write) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u := z.$entry_$next + ur := z.$entry_$_nextId + ul := z.$entry_$_nextLvl + u_state := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call0 + assert $_levelVar_3 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call0](z.$entry_$next) == y ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == x) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call0](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- assume BEGIN ------------ + + inhale ul < l && l < lvl + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + createBagList(c, l, x, ur, ul, u_state) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, c, l) + + // ------- apply END --------------- + + assert $_levelVar_3 == $_levelVar_3 + } + $_levelVar_4 := $_levelVar_3 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + assert true + $_levelVar_5 := $_levelVar_2 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Bag,BagList (after use-atomic@81.5) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(4, $r, $lvl, $z)) } + none < old[pre_stabilize3](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(4, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize3](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize3](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize3](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in Bag_interferenceSet_hf(4, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize3](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(4, $r, $lvl, $z) == + old[pre_stabilize3](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize3](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize3](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after use-atomic@81.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (!b) + invariant acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) + invariant (!b ? + acc(x.$link_$val, write) && x.$link_$val == n && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) : + true) + { + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_atomicity_context_fp($r, + $lvl, $z), old[preWhile0](perm(Bag_atomicity_context_fp($r, $lvl, $z))))) + inhale (forall $r: Ref, $lvl: Int, $z: Ref :: + { Bag_atomicity_context_df($r, $lvl, $z) } + none < old[preWhile0](perm(Bag_atomicity_context_fp($r, $lvl, $z))) ==> + Bag_atomicity_context_hf($r, $lvl, $z) == + old[preWhile0](Bag_atomicity_context_hf($r, $lvl, $z))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(BagList_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BagList_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(BagList_atomicity_context_fp($r, $lvl, $x))) ==> + BagList_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](BagList_atomicity_context_hf($r, $lvl, $x))) + assert acc(Bag(r, lvl, z), write) + + // ------- Stabilising regions Bag (infer context for open-region) BEGIN + + label pre_stabilize4 + + // Stabilising single instance of region Bag + quasihavoc Bag_interferenceContext_fp(r, lvl, z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(5, r, lvl, z)) } + ($$_m in Bag_interferenceSet_hf(5, r, lvl, z)) == + ((none < perm(r.$diamond) && + none < perm(Bag_atomicity_context_fp(r, lvl, z)) ==> + ($$_m in Bag_atomicity_context_hf(r, lvl, z))) && + ($$_m == old[pre_stabilize4](Bag_state(r, lvl, z)) || + Bag_sk_$_action_p(r, lvl, z) == + old[pre_stabilize4](Bag_state(r, lvl, z)) && + Bag_sk_$_action_q(r, lvl, z) == $$_m && + true && + true))) + quasihavoc Bag(r, lvl, z) + inhale (Bag_state(r, lvl, z) in Bag_interferenceSet_hf(5, r, lvl, z)) + + // havoc performed by other front resource + + inhale Bag_interferenceReference_hf(5, r, lvl, z) == + old[pre_stabilize4](Bag_state(r, lvl, z)) + + // ------- Stabilising regions Bag (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_5 > lvl + $_levelVar_6 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre2 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(5, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre2](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + y := z.$entry_$next + + // ------- heap-read END ----------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region](Bag_state(r, lvl, z)) + $_levelVar_7 := $_levelVar_5 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@75.5) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(6, $r, $lvl, $z)) } + none < old[pre_stabilize5](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(6, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize5](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize5](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize5](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(6, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize5](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(6, $r, $lvl, $z) == + old[pre_stabilize5](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize5](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize5](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@75.5) END + + + // ------- heap-write BEGIN -------- + + x.$link_$next := y + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Bag,BagList (after heap-write@79.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(7, $r, $lvl, $z)) } + none < old[pre_stabilize6](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(7, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize6](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize6](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize6](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(7, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize6](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(7, $r, $lvl, $z) == + old[pre_stabilize6](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize6](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize6](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-write@79.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(Bag_atomicity_context_fp(r, lvl, z)) == none + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + exhale acc(Bag_Z(r), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre3 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(7, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre3](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + inhale acc(Bag_Z(r), write) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u$ := z.$entry_$next + ur$ := z.$entry_$_nextId + ul$ := z.$entry_$_nextLvl + u_state$ := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call + assert $_levelVar_8 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call](z.$entry_$next) == y ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == x) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- assume BEGIN ------------ + + inhale ul$ < l && l < lvl + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + createBagList(c, l, x, ur$, ul$, u_state$) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, c, l) + + // ------- apply END --------------- + + assert $_levelVar_8 == $_levelVar_8 + } + $_levelVar_9 := $_levelVar_8 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + assert true + $_levelVar_10 := $_levelVar_7 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Bag,BagList (after use-atomic@81.5) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(8, $r, $lvl, $z)) } + none < old[pre_stabilize7](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(8, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize7](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize7](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize7](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(8, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize7](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(8, $r, $lvl, $z) == + old[pre_stabilize7](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(8, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(8, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize7](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(8, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(8, $r, $lvl, $x) == + old[pre_stabilize7](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after use-atomic@81.5) END + + assert $_levelVar_10 == $_levelVar_5 + } + $_levelVar_11 := $_levelVar_5 + + // ------- while END --------------- + +} + +method pop(r: Ref, lvl: Int, z: Ref) returns (v: Int) + requires acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) + ensures acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) +{ + var t: Ref + var tn: Ref + var b: Bool + var vi: Int + var jr: Ref + var jl: Int + var u: Ref + var ur: Ref + var ul: Int + var u_state: Seq[Int] + var n: Ref + var nr: Ref + var nl: Int + var n_state: Seq[Int] + var e: Int + var jr$: Ref + var jl$: Int + var u$: Ref + var ur$: Ref + var ul$: Int + var u_state$: Seq[Int] + var n$: Ref + var nr$: Ref + var nl$: Int + var n_state$: Seq[Int] + var e$: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + var $_levelVar_20: Int + var $_levelVar_21: Int + var $_levelVar_22: Int + var $_levelVar_23: Int + var $_levelVar_24: Int + var $_levelVar_25: Int + var $_levelVar_26: Int + var $_levelVar_27: Int + var $_levelVar_28: Int + var $_levelVar_29: Int + inhale $_levelVar_12 >= 0 && $_levelVar_12 > lvl + assert $_levelVar_12 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- assign BEGIN ------------ + + b := false + + // ------- assign END -------------- + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_12 > lvl + $_levelVar_13 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre4 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(8, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre4](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + t := z.$entry_$next + + // ------- heap-read END ----------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && z.$entry_$next == t && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + jr := z.$entry_$_nextId + jl := z.$entry_$_nextLvl + + // ------- assert END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(BagList(jr, jl, t), write) && (jl >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(BagList(jr, jl, t), write) && (jl >= 0 && true) + + // ------- inhale END -------------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region2](Bag_state(r, lvl, z)) + $_levelVar_14 := $_levelVar_12 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@121.5) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(9, $r, $lvl, $z)) } + none < old[pre_stabilize8](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(9, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize8](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize8](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize8](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in Bag_interferenceSet_hf(9, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize8](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(9, $r, $lvl, $z) == + old[pre_stabilize8](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize8](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize8](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@121.5) END + + + // ------- if-then-else BEGIN ------ + + if (!(t == null)) { + assert acc(BagList(jr, jl, t), write) + + // ------- Stabilising regions BagList (infer context for open-region) BEGIN + + label pre_stabilize9 + + // Stabilising single instance of region BagList + quasihavoc BagList_interferenceContext_fp(jr, jl, t) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(10, jr, jl, t)) } + ($$_m in BagList_interferenceSet_hf(10, jr, jl, t)) == + ((none < perm(jr.$diamond) && + none < perm(BagList_atomicity_context_fp(jr, jl, t)) ==> + ($$_m in BagList_atomicity_context_hf(jr, jl, t))) && + ($$_m == old[pre_stabilize9](BagList_state(jr, jl, t)) || + BagList_sk_$_action_p(jr, jl, t) == + old[pre_stabilize9](BagList_state(jr, jl, t)) && + BagList_sk_$_action_q(jr, jl, t) == $$_m && + true && + perm(BagList_G(jr)) == none))) + quasihavoc BagList(jr, jl, t) + inhale (BagList_state(jr, jl, t) in + BagList_interferenceSet_hf(10, jr, jl, t)) + + // havoc performed by other front resource + + inhale BagList_interferenceReference_hf(10, jr, jl, t) == + old[pre_stabilize9](BagList_state(jr, jl, t)) + + // ------- Stabilising regions BagList (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region3 + assert $_levelVar_14 > jl + $_levelVar_15 := jl + unfold acc(BagList(jr, jl, t), write) + label transitionPre5 + quasihavoc BagList_interferenceContext_fp(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale !(t == null) ==> + BagList_interferenceReference_hf(10, t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) == + old[transitionPre5](BagList_state(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next)) + + // ------- heap-read BEGIN --------- + + tn := t.$link_$next + + // ------- heap-read END ----------- + + fold acc(BagList(jr, jl, t), write) + assert BagList_state(jr, jl, t) == + old[pre_open_region3](BagList_state(jr, jl, t)) + $_levelVar_16 := $_levelVar_14 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@132.7) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(11, $r, $lvl, $z)) } + none < old[pre_stabilize10](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(11, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize10](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize10](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize10](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(11, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize10](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(11, $r, $lvl, $z) == + old[pre_stabilize10](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(11, $r, $lvl, $x)) } + none < old[pre_stabilize10](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(11, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize10](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize10](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(11, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(11, $r, $lvl, $x) == + old[pre_stabilize10](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@132.7) END + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList(jr, jl, t), write) && (jl >= 0 && true) + + // ------- exhale END -------------- + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic2 + assert perm(Bag_atomicity_context_fp(r, lvl, z)) == none + assert $_levelVar_16 > lvl + $_levelVar_17 := lvl + exhale acc(Bag_Z(r), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre6 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(11, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre6](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + inhale acc(Bag_Z(r), write) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u := z.$entry_$next + ur := z.$entry_$_nextId + ul := z.$entry_$_nextLvl + u_state := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call2 + assert $_levelVar_17 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call2](z.$entry_$next) == t ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == tn) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call2](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- unfold BEGIN ------------ + + assert ul >= 0 && true + unfold acc(BagList(ur, ul, t), write) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) BEGIN + + label pre_infer0 + + // Inferring interference all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(12, $r, $lvl, $z)) } + none < old[pre_infer0](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(12, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_infer0](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_infer0](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_infer0](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(12, $r, $lvl, $z) == + old[pre_infer0](Bag_state($r, $lvl, $z))) + + // Inferring interference all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(12, $r, $lvl, $x)) } + none < old[pre_infer0](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(12, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer0](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_infer0](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_infer0](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(12, $r, $lvl, $x) == + old[pre_infer0](BagList_state($r, $lvl, $x))) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) END + + + // ------- unfold END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList_G(ur), write) + + // ------- exhale END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$next, write) && true && + (acc(t.$link_$_nextId, write) && true && + (acc(t.$link_$_nextLvl, write) && true) && + (acc(t.$link_$_nextState, write) && true)) + n := t.$link_$next + nr := t.$link_$_nextId + nl := t.$link_$_nextLvl + n_state := t.$link_$_nextState + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale n == tn + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, nr, nl) + + // ------- apply END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$val, write) && true + e := t.$link_$val + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + vi := havoc_Int() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale vi == e + + // ------- assume END -------------- + + assert $_levelVar_17 == $_levelVar_17 + } + $_levelVar_18 := $_levelVar_17 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + assert true + $_levelVar_19 := $_levelVar_16 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Bag,BagList (after use-atomic@138.7) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(13, $r, $lvl, $z)) } + none < old[pre_stabilize11](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(13, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize11](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize11](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize11](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(13, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize11](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(13, $r, $lvl, $z) == + old[pre_stabilize11](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(13, $r, $lvl, $x)) } + none < old[pre_stabilize11](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(13, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize11](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize11](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(13, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(13, $r, $lvl, $x) == + old[pre_stabilize11](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after use-atomic@138.7) END + + assert $_levelVar_19 == $_levelVar_14 + } + $_levelVar_20 := $_levelVar_14 + + // ------- if-then-else END -------- + + + // ------- while BEGIN ------------- + + label preWhile + while (!b) + invariant acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) + invariant (b ? acc(t.$link_$val, write) && t.$link_$val == vi : true) + { + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_atomicity_context_fp($r, + $lvl, $z), old[preWhile](perm(Bag_atomicity_context_fp($r, $lvl, $z))))) + inhale (forall $r: Ref, $lvl: Int, $z: Ref :: + { Bag_atomicity_context_df($r, $lvl, $z) } + none < old[preWhile](perm(Bag_atomicity_context_fp($r, $lvl, $z))) ==> + Bag_atomicity_context_hf($r, $lvl, $z) == + old[preWhile](Bag_atomicity_context_hf($r, $lvl, $z))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(BagList_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BagList_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(BagList_atomicity_context_fp($r, $lvl, $x))) ==> + BagList_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](BagList_atomicity_context_hf($r, $lvl, $x))) + assert acc(Bag(r, lvl, z), write) + + // ------- Stabilising regions Bag (infer context for open-region) BEGIN + + label pre_stabilize12 + + // Stabilising single instance of region Bag + quasihavoc Bag_interferenceContext_fp(r, lvl, z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(14, r, lvl, z)) } + ($$_m in Bag_interferenceSet_hf(14, r, lvl, z)) == + ((none < perm(r.$diamond) && + none < perm(Bag_atomicity_context_fp(r, lvl, z)) ==> + ($$_m in Bag_atomicity_context_hf(r, lvl, z))) && + ($$_m == old[pre_stabilize12](Bag_state(r, lvl, z)) || + Bag_sk_$_action_p(r, lvl, z) == + old[pre_stabilize12](Bag_state(r, lvl, z)) && + Bag_sk_$_action_q(r, lvl, z) == $$_m && + true && + true))) + quasihavoc Bag(r, lvl, z) + inhale (Bag_state(r, lvl, z) in Bag_interferenceSet_hf(14, r, lvl, z)) + + // havoc performed by other front resource + + inhale Bag_interferenceReference_hf(14, r, lvl, z) == + old[pre_stabilize12](Bag_state(r, lvl, z)) + + // ------- Stabilising regions Bag (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region4 + assert $_levelVar_20 > lvl + $_levelVar_21 := lvl + unfold acc(Bag(r, lvl, z), write) + label transitionPre7 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(14, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre7](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + + // ------- heap-read BEGIN --------- + + t := z.$entry_$next + + // ------- heap-read END ----------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && z.$entry_$next == t && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + jr$ := z.$entry_$_nextId + jl$ := z.$entry_$_nextLvl + + // ------- assert END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(BagList(jr$, jl$, t), write) && (jl$ >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(BagList(jr$, jl$, t), write) && (jl$ >= 0 && true) + + // ------- inhale END -------------- + + fold acc(Bag(r, lvl, z), write) + assert Bag_state(r, lvl, z) == + old[pre_open_region4](Bag_state(r, lvl, z)) + $_levelVar_22 := $_levelVar_20 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@121.5) BEGIN + + label pre_stabilize13 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(15, $r, $lvl, $z)) } + none < old[pre_stabilize13](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(15, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize13](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize13](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize13](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(15, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize13](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(15, $r, $lvl, $z) == + old[pre_stabilize13](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(15, $r, $lvl, $x)) } + none < old[pre_stabilize13](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(15, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize13](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize13](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(15, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(15, $r, $lvl, $x) == + old[pre_stabilize13](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@121.5) END + + + // ------- if-then-else BEGIN ------ + + if (!(t == null)) { + assert acc(BagList(jr$, jl$, t), write) + + // ------- Stabilising regions BagList (infer context for open-region) BEGIN + + label pre_stabilize14 + + // Stabilising single instance of region BagList + quasihavoc BagList_interferenceContext_fp(jr$, jl$, t) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(16, jr$, jl$, t)) } + ($$_m in BagList_interferenceSet_hf(16, jr$, jl$, t)) == + ((none < perm(jr$.$diamond) && + none < perm(BagList_atomicity_context_fp(jr$, jl$, t)) ==> + ($$_m in BagList_atomicity_context_hf(jr$, jl$, t))) && + ($$_m == old[pre_stabilize14](BagList_state(jr$, jl$, t)) || + BagList_sk_$_action_p(jr$, jl$, t) == + old[pre_stabilize14](BagList_state(jr$, jl$, t)) && + BagList_sk_$_action_q(jr$, jl$, t) == $$_m && + true && + perm(BagList_G(jr$)) == none))) + quasihavoc BagList(jr$, jl$, t) + inhale (BagList_state(jr$, jl$, t) in + BagList_interferenceSet_hf(16, jr$, jl$, t)) + + // havoc performed by other front resource + + inhale BagList_interferenceReference_hf(16, jr$, jl$, t) == + old[pre_stabilize14](BagList_state(jr$, jl$, t)) + + // ------- Stabilising regions BagList (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region5 + assert $_levelVar_22 > jl$ + $_levelVar_23 := jl$ + unfold acc(BagList(jr$, jl$, t), write) + label transitionPre8 + quasihavoc BagList_interferenceContext_fp(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale !(t == null) ==> + BagList_interferenceReference_hf(16, t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next) == + old[transitionPre8](BagList_state(t.$link_$_nextId, t.$link_$_nextLvl, + t.$link_$next)) + + // ------- heap-read BEGIN --------- + + tn := t.$link_$next + + // ------- heap-read END ----------- + + fold acc(BagList(jr$, jl$, t), write) + assert BagList_state(jr$, jl$, t) == + old[pre_open_region5](BagList_state(jr$, jl$, t)) + $_levelVar_24 := $_levelVar_22 + + // ------- open-region END --------- + + + // ------- Stabilising regions Bag,BagList (after open-region@132.7) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(17, $r, $lvl, $z)) } + none < old[pre_stabilize15](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(17, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize15](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize15](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize15](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(17, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize15](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(17, $r, $lvl, $z) == + old[pre_stabilize15](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(17, $r, $lvl, $x)) } + none < old[pre_stabilize15](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(17, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize15](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize15](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(17, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(17, $r, $lvl, $x) == + old[pre_stabilize15](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after open-region@132.7) END + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList(jr$, jl$, t), write) && (jl$ >= 0 && true) + + // ------- exhale END -------------- + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic3 + assert perm(Bag_atomicity_context_fp(r, lvl, z)) == none + assert $_levelVar_24 > lvl + $_levelVar_25 := lvl + exhale acc(Bag_Z(r), write) + unfold acc(Bag(r, lvl, z), write) + label transitionPre9 + quasihavoc BagList_interferenceContext_fp(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + BagList_interferenceReference_hf(17, z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next) == + old[transitionPre9](BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, + z.$entry_$next)) + inhale acc(Bag_Z(r), write) + exhale acc(Bag(r, lvl, z), perm(Bag(r, lvl, z))) + + // ------- assert BEGIN ------------ + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) + u$ := z.$entry_$next + ur$ := z.$entry_$_nextId + ul$ := z.$entry_$_nextLvl + u_state$ := z.$entry_$_nextState + + // ------- assert END -------------- + + + // ------- call:CAS_entry BEGIN ---- + + assert true + label pre_call3 + assert $_levelVar_25 >= 0 + assert true + exhale acc(z.$entry_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call3](z.$entry_$next) == t ? + b && (acc(z.$entry_$next, write) && z.$entry_$next == tn) : + !b && + (acc(z.$entry_$next, write) && + z.$entry_$next == old[pre_call3](z.$entry_$next))) + + // ------- call:CAS_entry END ------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- unfold BEGIN ------------ + + assert ul$ >= 0 && true + unfold acc(BagList(ur$, ul$, t), write) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) BEGIN + + label pre_infer + + // Inferring interference all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(18, $r, $lvl, $z)) } + none < old[pre_infer](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(18, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_infer](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_infer](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_infer](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(18, $r, $lvl, $z) == + old[pre_infer](Bag_state($r, $lvl, $z))) + + // Inferring interference all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(18, $r, $lvl, $x)) } + none < old[pre_infer](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(18, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_infer](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_infer](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(18, $r, $lvl, $x) == + old[pre_infer](BagList_state($r, $lvl, $x))) + + // ------- Inferring interference context Bag,BagList (recompute interference context after unfold) END + + + // ------- unfold END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(BagList_G(ur$), write) + + // ------- exhale END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$next, write) && true && + (acc(t.$link_$_nextId, write) && true && + (acc(t.$link_$_nextLvl, write) && true) && + (acc(t.$link_$_nextState, write) && true)) + n$ := t.$link_$next + nr$ := t.$link_$_nextId + nl$ := t.$link_$_nextLvl + n_state$ := t.$link_$_nextState + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale n$ == tn + + // ------- assume END -------------- + + + // ------- apply BEGIN ------------- + + updateEntryGhost(z, nr$, nl$) + + // ------- apply END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(t.$link_$val, write) && true + e$ := t.$link_$val + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + vi := havoc_Int() + + // ------- havoc END --------------- + + + // ------- assume BEGIN ------------ + + inhale vi == e$ + + // ------- assume END -------------- + + assert $_levelVar_25 == $_levelVar_25 + } + $_levelVar_26 := $_levelVar_25 + + // ------- if-then-else END -------- + + fold acc(Bag(r, lvl, z), write) + assert true + $_levelVar_27 := $_levelVar_24 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Bag,BagList (after use-atomic@138.7) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(19, $r, $lvl, $z)) } + none < old[pre_stabilize16](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(19, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize16](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize16](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize16](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in + Bag_interferenceSet_hf(19, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize16](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(19, $r, $lvl, $z) == + old[pre_stabilize16](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(19, $r, $lvl, $x)) } + none < old[pre_stabilize16](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(19, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize16](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize16](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(19, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(19, $r, $lvl, $x) == + old[pre_stabilize16](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after use-atomic@138.7) END + + assert $_levelVar_27 == $_levelVar_22 + } + $_levelVar_28 := $_levelVar_22 + + // ------- if-then-else END -------- + + assert $_levelVar_28 == $_levelVar_20 + } + $_levelVar_29 := $_levelVar_20 + + // ------- while END --------------- + + + // ------- heap-read BEGIN --------- + + v := t.$link_$val + + // ------- heap-read END ----------- + + + // ------- Stabilising regions Bag,BagList (after heap-read@164.3) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag_interferenceContext_fp($$r, + $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: (forall $$_m: Seq[Int] :: + { ($$_m in Bag_interferenceSet_df(20, $r, $lvl, $z)) } + none < old[pre_stabilize17](perm(Bag($r, $lvl, $z))) ==> + ($$_m in Bag_interferenceSet_hf(20, $r, $lvl, $z)) == + ((none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + ($$_m in Bag_atomicity_context_hf($r, $lvl, $z))) && + ($$_m == old[pre_stabilize17](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize17](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize17](perm(Bag($r, $lvl, $z))) ==> + (Bag_state($r, $lvl, $z) in Bag_interferenceSet_hf(20, $r, $lvl, $z))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize17](perm(Bag($r, $lvl, $z))) ==> + Bag_interferenceReference_hf(20, $r, $lvl, $z) == + old[pre_stabilize17](Bag_state($r, $lvl, $z))) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: (forall $$_m: Seq[Int] :: + { ($$_m in BagList_interferenceSet_df(20, $r, $lvl, $x)) } + none < old[pre_stabilize17](perm(BagList($r, $lvl, $x))) ==> + ($$_m in BagList_interferenceSet_hf(20, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BagList_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize17](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize17](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == $$_m && + true && + perm(BagList_G($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(BagList($r, $lvl, $x))) ==> + (BagList_state($r, $lvl, $x) in + BagList_interferenceSet_hf(20, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(BagList($r, $lvl, $x))) ==> + BagList_interferenceReference_hf(20, $r, $lvl, $x) == + old[pre_stabilize17](BagList_state($r, $lvl, $x))) + + // ------- Stabilising regions Bag,BagList (after heap-read@164.3) END + +} + +method updateEntryGhost(x: Ref, c: Ref, l: Int) + requires acc(x.$entry_$next, write) && true && + (acc(BagList(c, l, x.$entry_$next), write) && (l >= 0 && true)) && + (acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true)) + ensures acc(x.$entry_$next, write) && + x.$entry_$next == old(x.$entry_$next) && + (acc(BagList(c, l, old(x.$entry_$next)), write) && + (l >= 0 && + BagList_state(c, l, old(x.$entry_$next)) == + old(BagList_state(c, l, x.$entry_$next)))) && + (acc(x.$entry_$_nextId, write) && x.$entry_$_nextId == c && + (acc(x.$entry_$_nextLvl, write) && x.$entry_$_nextLvl == l) && + (acc(x.$entry_$_nextState, write) && + x.$entry_$_nextState == old(BagList_state(c, l, x.$entry_$next)))) +{ + var hr: Ref + var hl: Int + var h_state: Seq[Int] + var $_levelVar_30: Int + inhale $_levelVar_30 >= 0 && $_levelVar_30 > l + assert $_levelVar_30 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- exhale BEGIN ------------ + + exhale acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true) + hr := x.$entry_$_nextId + hl := x.$entry_$_nextLvl + h_state := x.$entry_$_nextState + + // ------- inhale END -------------- + + + // ------- assume BEGIN ------------ + + inhale hr == c && hl == l && + h_state == old(BagList_state(c, l, x.$entry_$next)) + + // ------- assume END -------------- + +} + +method updateLinkGhost(x: Ref, c: Ref, l: Int) + requires acc(x.$link_$next, write) && true && + (acc(BagList(c, l, x.$link_$next), write) && (l >= 0 && true)) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) + ensures acc(x.$link_$next, write) && x.$link_$next == old(x.$link_$next) && + (acc(BagList(c, l, old(x.$link_$next)), write) && + (l >= 0 && + BagList_state(c, l, old(x.$link_$next)) == + old(BagList_state(c, l, x.$link_$next)))) && + (acc(x.$link_$_nextId, write) && x.$link_$_nextId == c && + (acc(x.$link_$_nextLvl, write) && x.$link_$_nextLvl == l) && + (acc(x.$link_$_nextState, write) && + x.$link_$_nextState == old(BagList_state(c, l, x.$link_$next)))) +{ + var hr: Ref + var hl: Int + var h_state: Seq[Int] + var $_levelVar_31: Int + inhale $_levelVar_31 >= 0 && $_levelVar_31 > l + assert $_levelVar_31 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- exhale BEGIN ------------ + + exhale acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true) + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true) + hr := x.$link_$_nextId + hl := x.$link_$_nextLvl + h_state := x.$link_$_nextState + + // ------- inhale END -------------- + + + // ------- assume BEGIN ------------ + + inhale hr == c && hl == l && + h_state == old(BagList_state(c, l, x.$link_$next)) + + // ------- assume END -------------- + +} + +method createBagList(r: Ref, lvl: Int, x: Ref, c: Ref, l: Int, vs: Seq[Int]) + requires acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) && + (!(x == null) ? + acc(BagList(c, l, x.$link_$next), write) && + (l >= 0 && BagList_state(c, l, x.$link_$next) == vs) && + acc(BagList_G(c), write) && + l < lvl : + true) + ensures acc(BagList(r, lvl, x), write) && + (lvl >= 0 && BagList_state(r, lvl, x) == Seq(old(x.$link_$val)) ++ vs) && + acc(BagList_G(r), write) +{ + var $_levelVar_32: Int + var $_levelVar_33: Int + inhale $_levelVar_32 >= 0 && $_levelVar_32 > l + assert $_levelVar_32 >= 0 + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(BagList_G(r), write) + + // ------- inhale END -------------- + + + // ------- if-then-else BEGIN ------ + + if (!(x == null)) { + + // ------- apply BEGIN ------------- + + updateLinkGhost(x, c, l) + + // ------- apply END --------------- + + assert $_levelVar_32 == $_levelVar_32 + } + $_levelVar_33 := $_levelVar_32 + + // ------- if-then-else END -------- + + + // ------- fold BEGIN -------------- + + fold acc(BagList(r, lvl, x), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method CAS_entry(x: Ref, now: Ref, thn: Ref) returns (ret: Bool) + requires acc(x.$entry_$next, write) && true + ensures (old(x.$entry_$next) == now ? + ret && (acc(x.$entry_$next, write) && x.$entry_$next == thn) : + !ret && + (acc(x.$entry_$next, write) && x.$entry_$next == old(x.$entry_$next))) + + +method $_Bag_interpretation_stability_check(r: Ref, lvl: Int, z: Ref) +{ + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) && + (acc(BagList(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next), write) && + (z.$entry_$_nextLvl >= 0 && + BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next) == + z.$entry_$_nextState)) && + acc(BagList_G(z.$entry_$_nextId), write) && + z.$entry_$_nextLvl < lvl + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) BEGIN + + label pre_stabilize18 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize18](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize18](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize18](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize18](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize18](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize18](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) END + + assert acc(z.$entry_$next, write) && true && + (acc(z.$entry_$_nextId, write) && true && + (acc(z.$entry_$_nextLvl, write) && true) && + (acc(z.$entry_$_nextState, write) && true)) && + (acc(BagList(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next), write) && + (z.$entry_$_nextLvl >= 0 && + BagList_state(z.$entry_$_nextId, z.$entry_$_nextLvl, z.$entry_$next) == + z.$entry_$_nextState)) && + acc(BagList_G(z.$entry_$_nextId), write) && + z.$entry_$_nextLvl < lvl +} + +method $_Bag_action_transitivity_check() +{ + var Z: Bool + var $_action_p_0_x: Seq[Int] + var $_action_q_0_x: Seq[Int] + var $_action_p_0_y: Seq[Int] + var $_action_q_0_y: Seq[Int] + var aState: Seq[Int] + var bState: Seq[Int] + var cState: Seq[Int] + inhale aState == bState || + $_action_p_0_x == aState && $_action_q_0_x == bState && true && Z + inhale bState == cState || + $_action_p_0_y == bState && $_action_q_0_y == cState && true && Z + assert aState == cState || + aState == aState && cState == cState && true && Z +} + +method $_BagList_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true))) && + (!(x == null) ? + acc(BagList(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next), write) && + (x.$link_$_nextLvl >= 0 && + BagList_state(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next) == + x.$link_$_nextState) && + acc(BagList_G(x.$link_$_nextId), write) && + x.$link_$_nextLvl < lvl : + true) + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize19](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize19](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize19](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize19](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize19](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of region interpretation) END + + assert acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true))) && + (!(x == null) ? + acc(BagList(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next), write) && + (x.$link_$_nextLvl >= 0 && + BagList_state(x.$link_$_nextId, x.$link_$_nextLvl, x.$link_$next) == + x.$link_$_nextState) && + acc(BagList_G(x.$link_$_nextId), write) && + x.$link_$_nextLvl < lvl : + true) +} + +method $_BagList_action_transitivity_check() +{ + var G: Bool + var $_action_p_0_x: Seq[Int] + var $_action_q_0_x: Seq[Int] + var $_action_p_0_y: Seq[Int] + var $_action_q_0_y: Seq[Int] + var aState: Seq[Int] + var bState: Seq[Int] + var cState: Seq[Int] + inhale aState == bState || + $_action_p_0_x == aState && $_action_q_0_x == bState && true && G + inhale bState == cState || + $_action_p_0_y == bState && $_action_q_0_y == cState && true && G + assert aState == cState || + aState == aState && cState == cState && true && G +} + +method $_push_condition_stability_precondition_check(r: Ref, lvl: Int, z: Ref, + n: Int) + requires acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) +{ + var $_levelVar_35: Int + var x: Ref + var y: Ref + var b: Bool + var c: Ref + var l: Int + inhale $_levelVar_35 >= 0 && $_levelVar_35 > lvl + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize20 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize20](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize20](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize20](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize20](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize20](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize20](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) +} + +method $_pop_condition_stability_precondition_check(r: Ref, lvl: Int, z: Ref, + v: Int) + requires acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) +{ + var $_levelVar_36: Int + var t: Ref + var tn: Ref + var b: Bool + var vi: Int + inhale $_levelVar_36 >= 0 && $_levelVar_36 > lvl + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize21 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize21](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize21](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize21](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize21](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize21](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(Bag(r, lvl, z), write) && (lvl >= 0 && true) && + acc(Bag_Z(r), write) +} + +method $_updateEntryGhost_condition_stability_precondition_check(x: Ref, c: Ref, + l: Int) + requires acc(x.$entry_$next, write) && true && + (acc(BagList(c, l, x.$entry_$next), write) && (l >= 0 && true)) && + (acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true)) +{ + var $_levelVar_37: Int + inhale $_levelVar_37 >= 0 && $_levelVar_37 > l + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize22 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize22](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize22](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize22](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize22](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize22](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize22](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(x.$entry_$next, write) && true && + (acc(BagList(c, l, x.$entry_$next), write) && (l >= 0 && true)) && + (acc(x.$entry_$_nextId, write) && true && + (acc(x.$entry_$_nextLvl, write) && true) && + (acc(x.$entry_$_nextState, write) && true)) +} + +method $_updateLinkGhost_condition_stability_precondition_check(x: Ref, c: Ref, + l: Int) + requires acc(x.$link_$next, write) && true && + (acc(BagList(c, l, x.$link_$next), write) && (l >= 0 && true)) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) +{ + var $_levelVar_38: Int + inhale $_levelVar_38 >= 0 && $_levelVar_38 > l + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize23 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize23](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize23](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize23](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize23](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize23](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize23](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(x.$link_$next, write) && true && + (acc(BagList(c, l, x.$link_$next), write) && (l >= 0 && true)) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) +} + +method $_createBagList_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref, c: Ref, l: Int, vs: Seq[Int]) + requires acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) && + (!(x == null) ? + acc(BagList(c, l, x.$link_$next), write) && + (l >= 0 && BagList_state(c, l, x.$link_$next) == vs) && + acc(BagList_G(c), write) && + l < lvl : + true) +{ + var $_levelVar_39: Int + inhale $_levelVar_39 >= 0 && $_levelVar_39 > l + inhale acc(Bag_sk_fp(), write) && acc(BagList_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $z: Ref ::acc(Bag_interferenceContext_fp($r, + $lvl, $z), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BagList_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) BEGIN + + label pre_stabilize24 + + // Stabilising all instances of region Bag + quasihavocall $$r: Ref, $$lvl: Int, $$z: Ref :: Bag($$r, $$lvl, $$z) + exhale acc(Bag_sk_fp(), write) + inhale acc(Bag_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $z: Ref [Bag($r, $lvl, $z)] :: none < + old[pre_stabilize24](perm(Bag($r, $lvl, $z))) ==> + (none < perm($r.$diamond) && + none < perm(Bag_atomicity_context_fp($r, $lvl, $z)) ==> + (Bag_state($r, $lvl, $z) in Bag_atomicity_context_hf($r, $lvl, $z))) && + (Bag_state($r, $lvl, $z) == + old[pre_stabilize24](Bag_state($r, $lvl, $z)) || + Bag_sk_$_action_p($r, $lvl, $z) == + old[pre_stabilize24](Bag_state($r, $lvl, $z)) && + Bag_sk_$_action_q($r, $lvl, $z) == Bag_state($r, $lvl, $z) && + true && + true)) + + // Stabilising all instances of region BagList + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BagList($$r, $$lvl, $$x) + exhale acc(BagList_sk_fp(), write) + inhale acc(BagList_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BagList($r, $lvl, $x)] :: none < + old[pre_stabilize24](perm(BagList($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BagList_atomicity_context_fp($r, $lvl, $x)) ==> + (BagList_state($r, $lvl, $x) in + BagList_atomicity_context_hf($r, $lvl, $x))) && + (BagList_state($r, $lvl, $x) == + old[pre_stabilize24](BagList_state($r, $lvl, $x)) || + BagList_sk_$_action_p($r, $lvl, $x) == + old[pre_stabilize24](BagList_state($r, $lvl, $x)) && + BagList_sk_$_action_q($r, $lvl, $x) == BagList_state($r, $lvl, $x) && + true && + perm(BagList_G($r)) == none)) + + // ------- Stabilising regions Bag,BagList (check stability of method condition) END + + assert acc(x.$link_$val, write) && true && + (acc(x.$link_$next, write) && true) && + (acc(x.$link_$_nextId, write) && true && + (acc(x.$link_$_nextLvl, write) && true) && + (acc(x.$link_$_nextState, write) && true)) && + (!(x == null) ? + acc(BagList(c, l, x.$link_$next), write) && + (l >= 0 && BagList_state(c, l, x.$link_$next) == vs) && + acc(BagList_G(c), write) && + l < lvl : + true) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BoundedCounter.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BoundedCounter.vl.vpr new file mode 100644 index 00000000..9915b87c --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/BoundedCounter.vl.vpr @@ -0,0 +1,1162 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function BCounter_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function BCounter_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function BCounter_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function BCounter_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function BCounter_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(BCounter_atomicity_context_fp(r, lvl, x), write) + ensures [BCounter_atomicity_context_df(r, lvl, x), true] + + +function BCounter_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(BCounter_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in BCounter_interferenceSet_df($p0, r, lvl, x))), + true] + + +function BCounter_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter_interferenceContext_fp(r, lvl, x), write) + ensures [BCounter_interferenceReference_df($p0, r, lvl, x), true] + + +function BCounter_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter_sk_fp(), write) + + +function BCounter_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter_sk_fp(), write) + + +function BCounter_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(BCounter(r, lvl, x), write) + ensures [BCounter_state_T(r, lvl, x), true] +{ + (unfolding acc(BCounter(r, lvl, x), write) in x.$memcell_$f) +} + +predicate BCounter_INCREMENT($r: Ref) + +predicate BCounter_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate BCounter_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate BCounter_sk_fp() + +predicate BCounter(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1 || x.$memcell_$f == 2) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Perm() returns ($r: Perm) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_BCounter() + + +method ___silicon_hack407_havoc_all_BCounter_interferenceContext_fp() + + +method makeBCounter(r: Ref, lvl: Int) returns (ret: Ref) + requires lvl >= 0 + ensures acc(BCounter(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(BCounter_INCREMENT(r), write) +{ + var v: Ref + var w: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(v.$memcell_$f, write) && true + w := v.$memcell_$f + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + v.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions BCounter (after heap-write@18.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after heap-write@18.3) END + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(BCounter_INCREMENT(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(BCounter(r, lvl, ret), write) + assert lvl >= 0 && BCounter_state(r, lvl, ret) == 0 + + // ------- fold END ---------------- + +} + +method incr(r: Ref, lvl: Int, x: Ref, p: Perm) returns (ret: Int) + requires acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + p >= 1 / 4 && + acc(BCounter_INCREMENT(r), p) + ensures acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(BCounter_INCREMENT(r), p) + ensures (p == write ? + ret == old(BCounter_state(r, lvl, x)) && + (old(BCounter_state(r, lvl, x)) < 2 ? + BCounter_state(r, lvl, x) == old(BCounter_state(r, lvl, x)) + 1 : + BCounter_state(r, lvl, x) == 0) : + true) +{ + var v: Int + var w: Int + var b: Bool + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(BCounter(r, lvl, x), write) + + // ------- Stabilising regions BCounter (infer context for open-region) BEGIN + + label pre_stabilize + + // Stabilising single instance of region BCounter + quasihavoc BCounter_interferenceContext_fp(r, lvl, x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(2, r, lvl, x)) } + ($$_m in BCounter_interferenceSet_hf(2, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(BCounter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in BCounter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize](BCounter_state(r, lvl, x)) || + BCounter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize](BCounter_state(r, lvl, x)) && + BCounter_sk_$_action_m(r, lvl, x) == $$_m && + true && + perm(BCounter_INCREMENT(r)) <= write - 1 / 4))) + quasihavoc BCounter(r, lvl, x) + inhale (BCounter_state(r, lvl, x) in + BCounter_interferenceSet_hf(2, r, lvl, x)) + + // havoc performed by other front resource + + inhale BCounter_interferenceReference_hf(2, r, lvl, x) == + old[pre_stabilize](BCounter_state(r, lvl, x)) + + // ------- Stabilising regions BCounter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > lvl + $_levelVar_2 := lvl + unfold acc(BCounter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(BCounter(r, lvl, x), write) + assert BCounter_state(r, lvl, x) == + old[pre_open_region0](BCounter_state(r, lvl, x)) + $_levelVar_3 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions BCounter (after open-region@40.5) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize2](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize2](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize2](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after open-region@40.5) END + + + // ------- if-then-else BEGIN ------ + + if (v < 2) { + + // ------- assign BEGIN ------------ + + w := v + 1 + + // ------- assign END -------------- + + assert $_levelVar_3 == $_levelVar_3 + } else { + $_levelVar_4 := $_levelVar_3 + + // ------- assign BEGIN ------------ + + w := 0 + + // ------- assign END -------------- + + assert $_levelVar_4 == $_levelVar_3 + } + $_levelVar_5 := $_levelVar_3 + + // ------- if-then-else END -------- + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(BCounter_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_5 > lvl + $_levelVar_6 := lvl + exhale acc(BCounter_INCREMENT(r), 1 / 4) + unfold acc(BCounter(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(BCounter_INCREMENT(r), 1 / 4) + exhale acc(BCounter(r, lvl, x), perm(BCounter(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_6 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$f) == v ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == w) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call0](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(BCounter(r, lvl, x), write) + assert old[pre_use_atomic0](BCounter_state(r, lvl, x)) == + BCounter_state(r, lvl, x) || + 1 / 4 <= 1 / 4 + $_levelVar_7 := $_levelVar_5 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions BCounter (after use-atomic@50.5) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize3](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after use-atomic@50.5) END + + + // ------- assert BEGIN ------------ + + assert (p == write ? v == old(BCounter_state(r, lvl, x)) : true) + + // ------- assert END -------------- + + + // ------- while BEGIN ------------- + + label preWhile0 + while (!b) + invariant acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(BCounter_INCREMENT(r), p) + invariant (p == write ? + b && v == old(BCounter_state(r, lvl, x)) && + (old(BCounter_state(r, lvl, x)) < 2 ? + BCounter_state(r, lvl, x) == old(BCounter_state(r, lvl, x)) + 1 : + BCounter_state(r, lvl, x) == 0) : + true) + { + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(BCounter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { BCounter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(BCounter_atomicity_context_fp($r, $lvl, $x))) ==> + BCounter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](BCounter_atomicity_context_hf($r, $lvl, $x))) + assert acc(BCounter(r, lvl, x), write) + + // ------- Stabilising regions BCounter (infer context for open-region) BEGIN + + label pre_stabilize4 + + // Stabilising single instance of region BCounter + quasihavoc BCounter_interferenceContext_fp(r, lvl, x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(5, r, lvl, x)) } + ($$_m in BCounter_interferenceSet_hf(5, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(BCounter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in BCounter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize4](BCounter_state(r, lvl, x)) || + BCounter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize4](BCounter_state(r, lvl, x)) && + BCounter_sk_$_action_m(r, lvl, x) == $$_m && + true && + perm(BCounter_INCREMENT(r)) <= write - 1 / 4))) + quasihavoc BCounter(r, lvl, x) + inhale (BCounter_state(r, lvl, x) in + BCounter_interferenceSet_hf(5, r, lvl, x)) + + // havoc performed by other front resource + + inhale BCounter_interferenceReference_hf(5, r, lvl, x) == + old[pre_stabilize4](BCounter_state(r, lvl, x)) + + // ------- Stabilising regions BCounter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + unfold acc(BCounter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(BCounter(r, lvl, x), write) + assert BCounter_state(r, lvl, x) == + old[pre_open_region](BCounter_state(r, lvl, x)) + $_levelVar_9 := $_levelVar_7 + + // ------- open-region END --------- + + + // ------- Stabilising regions BCounter (after open-region@40.5) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize5](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after open-region@40.5) END + + + // ------- if-then-else BEGIN ------ + + if (v < 2) { + + // ------- assign BEGIN ------------ + + w := v + 1 + + // ------- assign END -------------- + + assert $_levelVar_9 == $_levelVar_9 + } else { + $_levelVar_10 := $_levelVar_9 + + // ------- assign BEGIN ------------ + + w := 0 + + // ------- assign END -------------- + + assert $_levelVar_10 == $_levelVar_9 + } + $_levelVar_11 := $_levelVar_9 + + // ------- if-then-else END -------- + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(BCounter_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_11 > lvl + $_levelVar_12 := lvl + exhale acc(BCounter_INCREMENT(r), 1 / 4) + unfold acc(BCounter(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(BCounter_INCREMENT(r), 1 / 4) + exhale acc(BCounter(r, lvl, x), perm(BCounter(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_12 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$f) == v ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == w) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(BCounter(r, lvl, x), write) + assert old[pre_use_atomic](BCounter_state(r, lvl, x)) == + BCounter_state(r, lvl, x) || + 1 / 4 <= 1 / 4 + $_levelVar_13 := $_levelVar_11 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions BCounter (after use-atomic@50.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize6](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after use-atomic@50.5) END + + + // ------- assert BEGIN ------------ + + assert (p == write ? v == old(BCounter_state(r, lvl, x)) : true) + + // ------- assert END -------------- + + assert $_levelVar_13 == $_levelVar_7 + } + $_levelVar_14 := $_levelVar_7 + + // ------- while END --------------- + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + +} + +method read(r: Ref, lvl: Int, x: Ref, p: Perm) returns (ret: Int) + requires acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + 0 / 1 < p && + acc(BCounter_INCREMENT(r), p) + ensures acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(BCounter_INCREMENT(r), p) + ensures (p == write ? + ret == old(BCounter_state(r, lvl, x)) && + old(BCounter_state(r, lvl, x)) == BCounter_state(r, lvl, x) : + true) +{ + var $_levelVar_15: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + inhale $_levelVar_15 >= 0 && $_levelVar_15 > lvl + assert $_levelVar_15 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(BCounter(r, lvl, x), write) + + // ------- Stabilising regions BCounter (infer context for open-region) BEGIN + + label pre_stabilize7 + + // Stabilising single instance of region BCounter + quasihavoc BCounter_interferenceContext_fp(r, lvl, x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(8, r, lvl, x)) } + ($$_m in BCounter_interferenceSet_hf(8, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(BCounter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in BCounter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize7](BCounter_state(r, lvl, x)) || + BCounter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize7](BCounter_state(r, lvl, x)) && + BCounter_sk_$_action_m(r, lvl, x) == $$_m && + true && + perm(BCounter_INCREMENT(r)) <= write - 1 / 4))) + quasihavoc BCounter(r, lvl, x) + inhale (BCounter_state(r, lvl, x) in + BCounter_interferenceSet_hf(8, r, lvl, x)) + + // havoc performed by other front resource + + inhale BCounter_interferenceReference_hf(8, r, lvl, x) == + old[pre_stabilize7](BCounter_state(r, lvl, x)) + + // ------- Stabilising regions BCounter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_15 > lvl + $_levelVar_16 := lvl + unfold acc(BCounter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(BCounter(r, lvl, x), write) + assert BCounter_state(r, lvl, x) == + old[pre_open_region2](BCounter_state(r, lvl, x)) + $_levelVar_17 := $_levelVar_15 + + // ------- open-region END --------- + + + // ------- Stabilising regions BCounter (after open-region@65.3) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in BCounter_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(BCounter($r, $lvl, $x))) ==> + ($$_m in BCounter_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in BCounter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BCounter($r, $lvl, $x))) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(BCounter($r, $lvl, $x))) ==> + BCounter_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize8](BCounter_state($r, $lvl, $x))) + + // ------- Stabilising regions BCounter (after open-region@65.3) END + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$f, write) && true + ensures (old(x.$memcell_$f) == now ? + ret && (acc(x.$memcell_$f, write) && x.$memcell_$f == thn) : + !ret && + (acc(x.$memcell_$f, write) && x.$memcell_$f == old(x.$memcell_$f))) + + +method $_BCounter_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1 || x.$memcell_$f == 2) + + // ------- Stabilising regions BCounter (check stability of region interpretation) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize9](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)) + + // ------- Stabilising regions BCounter (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1 || x.$memcell_$f == 2) +} + +method $_BCounter_action_transitivity_check() +{ + var INCREMENT: Perm + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && true && + 1 / 4 >= INCREMENT + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && true && + 1 / 4 >= INCREMENT + assert aState == cState || + aState == aState && cState == cState && true && 1 / 4 >= INCREMENT +} + +method $_makeBCounter_condition_stability_precondition_check(r: Ref, lvl: Int, + ret: Ref) + requires lvl >= 0 +{ + var $_levelVar_19: Int + var v: Ref + inhale $_levelVar_19 >= 0 + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions BCounter (check stability of method condition) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize10](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize10](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)) + + // ------- Stabilising regions BCounter (check stability of method condition) END + + assert lvl >= 0 +} + +method $_incr_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref, + p: Perm, ret: Int) + requires acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + p >= 1 / 4 && + acc(BCounter_INCREMENT(r), p) +{ + var $_levelVar_20: Int + var v: Int + var w: Int + var b: Bool + inhale $_levelVar_20 >= 0 && $_levelVar_20 > lvl + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions BCounter (check stability of method condition) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize11](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)) + + // ------- Stabilising regions BCounter (check stability of method condition) END + + assert acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + p >= 1 / 4 && + acc(BCounter_INCREMENT(r), p) +} + +method $_read_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref, + p: Perm, ret: Int) + requires acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && + 0 / 1 < p && + acc(BCounter_INCREMENT(r), p) +{ + var $_levelVar_21: Int + inhale $_levelVar_21 >= 0 && $_levelVar_21 > lvl + inhale acc(BCounter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(BCounter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions BCounter (check stability of method condition) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region BCounter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: BCounter($$r, $$lvl, $$x) + exhale acc(BCounter_sk_fp(), write) + inhale acc(BCounter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [BCounter($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(BCounter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(BCounter_atomicity_context_fp($r, $lvl, $x)) ==> + (BCounter_state($r, $lvl, $x) in + BCounter_atomicity_context_hf($r, $lvl, $x))) && + (BCounter_state($r, $lvl, $x) == + old[pre_stabilize12](BCounter_state($r, $lvl, $x)) || + BCounter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](BCounter_state($r, $lvl, $x)) && + BCounter_sk_$_action_m($r, $lvl, $x) == BCounter_state($r, $lvl, $x) && + true && + perm(BCounter_INCREMENT($r)) <= write - 1 / 4)) + + // ------- Stabilising regions BCounter (check stability of method condition) END + + assert acc(BCounter(r, lvl, x), write) && (lvl >= 0 && true) && 0 / 1 < p && + acc(BCounter_INCREMENT(r), p) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CASCounter.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CASCounter.vl.vpr new file mode 100644 index 00000000..c2c9dfcb --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CASCounter.vl.vpr @@ -0,0 +1,1073 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Counter_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function Counter_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Counter_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function Counter_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function Counter_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_atomicity_context_fp(r, lvl, x), write) + ensures [Counter_atomicity_context_df(r, lvl, x), true] + + +function Counter_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Counter_interferenceSet_df($p0, r, lvl, x))), + true] + + +function Counter_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_interferenceContext_fp(r, lvl, x), write) + ensures [Counter_interferenceReference_df($p0, r, lvl, x), true] + + +function Counter_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter(r, lvl, x), write) + ensures [Counter_state_T(r, lvl, x), true] +{ + (unfolding acc(Counter(r, lvl, x), write) in x.$memcell_$f) +} + +predicate Counter_INCREMENT($r: Ref) + +predicate Counter_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate Counter_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate Counter_sk_fp() + +predicate Counter(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_Counter() + + +method ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() + + +method makeCounter(r: Ref, lvl: Int) returns (ret: Ref) + requires lvl >= 0 + ensures acc(Counter(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) +{ + var v: Ref + var w: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(v.$memcell_$f, write) && true + w := v.$memcell_$f + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + v.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Counter (after heap-write@22.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after heap-write@22.3) END + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Counter_INCREMENT(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Counter(r, lvl, ret), write) + assert lvl >= 0 && Counter_state(r, lvl, ret) == 0 + + // ------- fold END ---------------- + +} + +method incr(r: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) + ensures acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) + ensures old(Counter_state(r, lvl, x)) < Counter_state(r, lvl, x) +{ + var v: Int + var b: Bool + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(Counter(r, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(2, r, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(2, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Counter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize](Counter_state(r, lvl, x)) || + Counter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize](Counter_state(r, lvl, x)) && + Counter_sk_$_action_m(r, lvl, x) == $$_m && + Counter_sk_$_action_n(r, lvl, x) < Counter_sk_$_action_m(r, lvl, x) && + true))) + quasihavoc Counter(r, lvl, x) + inhale (Counter_state(r, lvl, x) in + Counter_interferenceSet_hf(2, r, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(2, r, lvl, x) == + old[pre_stabilize](Counter_state(r, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > lvl + $_levelVar_2 := lvl + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Counter(r, lvl, x), write) + assert Counter_state(r, lvl, x) == + old[pre_open_region0](Counter_state(r, lvl, x)) + $_levelVar_3 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter (after open-region@43.5) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize2](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize2](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize2](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after open-region@43.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Counter_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_3 > lvl + $_levelVar_4 := lvl + exhale acc(Counter_INCREMENT(r), write) + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Counter_INCREMENT(r), write) + exhale acc(Counter(r, lvl, x), perm(Counter(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_4 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$f) == v ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == v + 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call0](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(Counter(r, lvl, x), write) + assert old[pre_use_atomic0](Counter_state(r, lvl, x)) == + Counter_state(r, lvl, x) || + old[pre_use_atomic0](Counter_state(r, lvl, x)) < + Counter_state(r, lvl, x) + $_levelVar_5 := $_levelVar_3 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Counter (after use-atomic@46.5) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize3](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after use-atomic@46.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (!b) + invariant acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) + invariant (b ? + old(Counter_state(r, lvl, x)) < Counter_state(r, lvl, x) : + old(Counter_state(r, lvl, x)) <= Counter_state(r, lvl, x)) + { + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(Counter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(Counter_atomicity_context_fp($r, $lvl, $x))) ==> + Counter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](Counter_atomicity_context_hf($r, $lvl, $x))) + assert acc(Counter(r, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize4 + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(5, r, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(5, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Counter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize4](Counter_state(r, lvl, x)) || + Counter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize4](Counter_state(r, lvl, x)) && + Counter_sk_$_action_m(r, lvl, x) == $$_m && + Counter_sk_$_action_n(r, lvl, x) < Counter_sk_$_action_m(r, lvl, x) && + true))) + quasihavoc Counter(r, lvl, x) + inhale (Counter_state(r, lvl, x) in + Counter_interferenceSet_hf(5, r, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(5, r, lvl, x) == + old[pre_stabilize4](Counter_state(r, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_5 > lvl + $_levelVar_6 := lvl + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Counter(r, lvl, x), write) + assert Counter_state(r, lvl, x) == + old[pre_open_region](Counter_state(r, lvl, x)) + $_levelVar_7 := $_levelVar_5 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter (after open-region@43.5) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize5](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after open-region@43.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(Counter_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + exhale acc(Counter_INCREMENT(r), write) + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Counter_INCREMENT(r), write) + exhale acc(Counter(r, lvl, x), perm(Counter(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_8 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$f) == v ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == v + 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(Counter(r, lvl, x), write) + assert old[pre_use_atomic](Counter_state(r, lvl, x)) == + Counter_state(r, lvl, x) || + old[pre_use_atomic](Counter_state(r, lvl, x)) < + Counter_state(r, lvl, x) + $_levelVar_9 := $_levelVar_7 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Counter (after use-atomic@46.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize6](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after use-atomic@46.5) END + + assert $_levelVar_9 == $_levelVar_5 + } + $_levelVar_10 := $_levelVar_5 + + // ------- while END --------------- + +} + +method read(r: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) + ensures acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) + ensures ret <= Counter_state(r, lvl, x) +{ + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + inhale $_levelVar_11 >= 0 && $_levelVar_11 > lvl + assert $_levelVar_11 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(Counter(r, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize7 + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(8, r, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(8, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Counter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize7](Counter_state(r, lvl, x)) || + Counter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize7](Counter_state(r, lvl, x)) && + Counter_sk_$_action_m(r, lvl, x) == $$_m && + Counter_sk_$_action_n(r, lvl, x) < Counter_sk_$_action_m(r, lvl, x) && + true))) + quasihavoc Counter(r, lvl, x) + inhale (Counter_state(r, lvl, x) in + Counter_interferenceSet_hf(8, r, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(8, r, lvl, x) == + old[pre_stabilize7](Counter_state(r, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_11 > lvl + $_levelVar_12 := lvl + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Counter(r, lvl, x), write) + assert Counter_state(r, lvl, x) == + old[pre_open_region2](Counter_state(r, lvl, x)) + $_levelVar_13 := $_levelVar_11 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter (after open-region@57.3) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize8](Counter_state($r, $lvl, $x))) + + // ------- Stabilising regions Counter (after open-region@57.3) END + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$f, write) && true + ensures (old(x.$memcell_$f) == now ? + ret && (acc(x.$memcell_$f, write) && x.$memcell_$f == thn) : + !ret && + (acc(x.$memcell_$f, write) && x.$memcell_$f == old(x.$memcell_$f))) + + +method $_Counter_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true + + // ------- Stabilising regions Counter (check stability of region interpretation) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize9](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true +} + +method $_Counter_action_transitivity_check() +{ + var INCREMENT: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + INCREMENT + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + INCREMENT + assert aState == cState || + aState == aState && cState == cState && aState < cState && INCREMENT +} + +method $_makeCounter_condition_stability_precondition_check(r: Ref, lvl: Int, + ret: Ref) + requires lvl >= 0 +{ + var $_levelVar_15: Int + var v: Ref + inhale $_levelVar_15 >= 0 + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Counter (check stability of method condition) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize10](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize10](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of method condition) END + + assert lvl >= 0 +} + +method $_incr_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) +{ + var $_levelVar_16: Int + var v: Int + var b: Bool + inhale $_levelVar_16 >= 0 && $_levelVar_16 > lvl + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Counter (check stability of method condition) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize11](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of method condition) END + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) +} + +method $_read_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) +{ + var $_levelVar_17: Int + inhale $_levelVar_17 >= 0 && $_levelVar_17 > lvl + inhale acc(Counter_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Counter (check stability of method condition) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize12](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + Counter_sk_$_action_n($r, $lvl, $x) < + Counter_sk_$_action_m($r, $lvl, $x) && + true)) + + // ------- Stabilising regions Counter (check stability of method condition) END + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCREMENT(r), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CounterClient.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CounterClient.vl.vpr new file mode 100644 index 00000000..f3cec43d --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/CounterClient.vl.vpr @@ -0,0 +1,5570 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Counter_CONT_T($r: Ref, n: Int): Bool + + function Counter_AUTH_T($r: Ref, n: Int): Bool + + function Counter_state_T(r: Ref, lvl: Int, x: Ref): Bool + + function Join_state_T(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_state_T(r: Ref, lvl: Int): Bool + + axiom Counter_CONT_T_bottom { + (forall $r: Ref, n: Int :: + { Counter_CONT_T($r, n) } + Counter_CONT_T($r, n)) + } + + axiom Counter_AUTH_T_bottom { + (forall $r: Ref, n: Int :: + { Counter_AUTH_T($r, n) } + Counter_AUTH_T($r, n)) + } +} + +domain interferenceReference_Domain { + + function Counter_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool + + function Join_interferenceReference_df($p0: Int, s: Ref, alvl: Int, y: Ref, + r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_interferenceReference_df($p0: Int, r: Ref, lvl: Int): Bool +} + +domain interferenceSet_Domain { + + function Counter_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + + function Join_interferenceSet_df($p0: Int, s: Ref, alvl: Int, y: Ref, r: Ref, + lvl: Int, x: Ref): Set[Int] + + function LevelDummy_interferenceSet_df($p0: Int, r: Ref, lvl: Int): Set[Int] +} + +domain atomicity_context_Domain { + + function Counter_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool + + function Join_atomicity_context_df(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, + x: Ref): Bool + + function LevelDummy_atomicity_context_df(r: Ref, lvl: Int): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $fjcell_$value: Int + +field $fjcell_$_payload: Bool + +field $cell_$value: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function Counter_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_atomicity_context_fp(r, lvl, x), write) + ensures [Counter_atomicity_context_df(r, lvl, x), true] + + +function Counter_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Counter_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Counter_interferenceSet_df($p0, r, lvl, x))), + true] + + +function Counter_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_interferenceContext_fp(r, lvl, x), write) + ensures [Counter_interferenceReference_df($p0, r, lvl, x), true] + + +function Counter_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter_sk_fp(), write) + + +function Counter_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(Counter(r, lvl, x), write) + ensures [Counter_state_T(r, lvl, x), true] +{ + (unfolding acc(Counter(r, lvl, x), write) in x.$cell_$value) +} + +function Join_atomicity_context_hf(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, + x: Ref): Set[Int] + requires acc(Join_atomicity_context_fp(s, alvl, y, r, lvl, x), write) + ensures [Join_atomicity_context_df(s, alvl, y, r, lvl, x), true] + + +function Join_interferenceSet_hf($p0: Int, s: Ref, alvl: Int, y: Ref, r: Ref, + lvl: Int, x: Ref): Set[Int] + requires acc(Join_interferenceContext_fp(s, alvl, y, r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Join_interferenceSet_df($p0, s, alvl, y, r, lvl, x))), + true] + + +function Join_interferenceReference_hf($p0: Int, s: Ref, alvl: Int, y: Ref, + r: Ref, lvl: Int, x: Ref): Int + requires acc(Join_interferenceContext_fp(s, alvl, y, r, lvl, x), write) + ensures [Join_interferenceReference_df($p0, s, alvl, y, r, lvl, x), true] + + +function Join_state(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, x: Ref): Int + requires acc(Join(s, alvl, y, r, lvl, x), write) + ensures [Join_state_T(s, alvl, y, r, lvl, x), true] +{ + (unfolding acc(Join(s, alvl, y, r, lvl, x), write) in y.$fjcell_$value) +} + +function LevelDummy_atomicity_context_hf(r: Ref, lvl: Int): Set[Int] + requires acc(LevelDummy_atomicity_context_fp(r, lvl), write) + ensures [LevelDummy_atomicity_context_df(r, lvl), true] + + +function LevelDummy_interferenceSet_hf($p0: Int, r: Ref, lvl: Int): Set[Int] + requires acc(LevelDummy_interferenceContext_fp(r, lvl), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in LevelDummy_interferenceSet_df($p0, r, lvl))), + true] + + +function LevelDummy_interferenceReference_hf($p0: Int, r: Ref, lvl: Int): Int + requires acc(LevelDummy_interferenceContext_fp(r, lvl), write) + ensures [LevelDummy_interferenceReference_df($p0, r, lvl), true] + + +function LevelDummy_state(r: Ref, lvl: Int): Int + requires acc(LevelDummy(r, lvl), write) + ensures [LevelDummy_state_T(r, lvl), true] +{ + (unfolding acc(LevelDummy(r, lvl), write) in 0) +} + +predicate Counter_INCR($r: Ref) + +predicate Counter_CONT($r: Ref, n: Int) + +predicate Counter_AUTH($r: Ref, n: Int) + +predicate Counter_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate Counter_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate Counter_sk_fp() + +predicate Counter(r: Ref, lvl: Int, x: Ref) { + acc(x.$cell_$value, write) && true && 0 <= x.$cell_$value && + (Counter_CONT_T(r, 0 - 1 - x.$cell_$value) && + acc(Counter_CONT(r, 0 - 1 - x.$cell_$value), write)) && + (Counter_AUTH_T(r, x.$cell_$value) && + acc(Counter_AUTH(r, x.$cell_$value), write)) +} + +predicate Join_SET($r: Ref) + +predicate Join_JOIN($r: Ref) + +predicate Join_atomicity_context_fp(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, + x: Ref) + +predicate Join_interferenceContext_fp(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, + x: Ref) + +predicate Join_sk_fp() + +predicate Join(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, x: Ref) { + acc(y.$fjcell_$value, write) && true && + (y.$fjcell_$value == 0 || y.$fjcell_$value == 1) && + (acc(y.$fjcell_$_payload, write) && true) && + (y.$fjcell_$value == 1 ? + (y.$fjcell_$_payload ? + acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && lvl < alvl && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) : + acc(Join_JOIN(s), write)) : + true) +} + +predicate LevelDummy_LevelDummyG($r: Ref) + +predicate LevelDummy_atomicity_context_fp(r: Ref, lvl: Int) + +predicate LevelDummy_interferenceContext_fp(r: Ref, lvl: Int) + +predicate LevelDummy_sk_fp() + +predicate LevelDummy(r: Ref, lvl: Int) { + true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Perm() returns ($r: Perm) + + +method ___silicon_hack407_havoc_all_Counter() + + +method ___silicon_hack407_havoc_all_Counter_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_Join() + + +method ___silicon_hack407_havoc_all_Join_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_LevelDummy() + + +method ___silicon_hack407_havoc_all_LevelDummy_interferenceContext_fp() + + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$cell_$value, write) && true + ensures (old(x.$cell_$value) == now ? + ret && (acc(x.$cell_$value, write) && x.$cell_$value == thn) : + !ret && + (acc(x.$cell_$value, write) && x.$cell_$value == old(x.$cell_$value))) + + +method thread_incr(r: Ref, lvl: Int, x: Ref, s: Ref, alvl: Int, y: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0)) && + acc(Join_SET(s), write) && + lvl < alvl + ensures true +{ + var $_levelVar_1: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl && $_levelVar_1 > alvl + assert $_levelVar_1 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- call:incr BEGIN --------- + + assert true + label pre_call0 + assert $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert true + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:incr@19.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize0](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize0](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize0](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize0](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize0](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:incr@19.3) END + + inhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) + + // ------- call:incr END ----------- + + + // ------- call:set_to_one BEGIN --- + + assert true + label pre_call + assert $_levelVar_1 >= 0 && $_levelVar_1 > lvl && $_levelVar_1 > alvl + assert true + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0)) && + acc(Join_SET(s), write) && + lvl < alvl + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:set_to_one@20.3) BEGIN + + label pre_stabilize + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:set_to_one@20.3) END + + inhale acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 1) + + // ------- call:set_to_one END ----- + +} + +method parallel_incr(lvl: Int, alvl: Int, dummy: Ref) + returns (r: Ref, x: Ref) + requires acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true) && + (alvl > lvl && lvl >= 0) + ensures acc(Counter(r, lvl, x), write) && + (lvl >= 0 && Counter_state(r, lvl, x) == 2) && + (Counter_CONT_T(r, 2) && acc(Counter_CONT(r, 2), write)) && + (Counter_AUTH_T(r, 0 - 1 - 2) && acc(Counter_AUTH(r, 0 - 1 - 2), write)) && + acc(Counter_INCR(r), write) +{ + var y1: Ref + var y2: Ref + var s1: Ref + var s2: Ref + var s1_lvl: Int + var s2_lvl: Int + var n: Int + var $_levelVar_2: Int + inhale $_levelVar_2 >= 0 && $_levelVar_2 > alvl + assert $_levelVar_2 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- assume BEGIN ------------ + + inhale s1_lvl == alvl && s2_lvl == alvl + + // ------- assume END -------------- + + + // ------- call:makeCounter BEGIN -- + + assert true + label pre_call2 + assert $_levelVar_2 >= 0 + assert true + exhale lvl >= 0 + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:makeCounter@33.3) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize2](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize2](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize2](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize2](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize2](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize2](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:makeCounter@33.3) END + + r := havoc_Ref() + x := havoc_Ref() + inhale acc(Counter(r, lvl, x), write) && + (lvl >= 0 && Counter_state(r, lvl, x) == 0) && + acc(Counter_INCR(r), write) && + (Counter_AUTH_T(r, 0 - 1) && acc(Counter_AUTH(r, 0 - 1), write)) + + // ------- call:makeCounter END ---- + + + // ------- assert BEGIN ------------ + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (acc(Counter(r, lvl, x), write) && (lvl >= 0 && true)) && + (acc(Counter(r, lvl, x), write) && (lvl >= 0 && true)) && + (acc(Counter(r, lvl, x), write) && (lvl >= 0 && true)) + + // ------- inhale END -------------- + + + // ------- apply BEGIN ------------- + + AUTH_split(r, 0 - 1 - 1, 1) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + AUTH_split(r, 0 - 1 - 2, 1) + + // ------- apply END --------------- + + + // ------- call:make_join BEGIN ---- + + assert true + label pre_call3 + assert $_levelVar_2 >= 0 && $_levelVar_2 > lvl + assert true + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + lvl < s1_lvl + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:make_join@42.3) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize3](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize3](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize3](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize3](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize3](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:make_join@42.3) END + + s1 := havoc_Ref() + y1 := havoc_Ref() + inhale acc(Join(s1, s1_lvl, y1, r, lvl, x), write) && + (s1_lvl >= 0 && Join_state(s1, s1_lvl, y1, r, lvl, x) == 0) && + acc(Join_SET(s1), write) && + acc(Join_JOIN(s1), write) && + s1_lvl > lvl + + // ------- call:make_join END ------ + + + // ------- call:make_join BEGIN ---- + + assert true + label pre_call4 + assert $_levelVar_2 >= 0 && $_levelVar_2 > lvl + assert true + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + lvl < s2_lvl + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:make_join@43.3) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize4](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize4](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize4](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize4](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize4](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:make_join@43.3) END + + s2 := havoc_Ref() + y2 := havoc_Ref() + inhale acc(Join(s2, s2_lvl, y2, r, lvl, x), write) && + (s2_lvl >= 0 && Join_state(s2, s2_lvl, y2, r, lvl, x) == 0) && + acc(Join_SET(s2), write) && + acc(Join_JOIN(s2), write) && + s2_lvl > lvl + + // ------- call:make_join END ------ + + + // ------- assert BEGIN ------------ + + assert acc(Join(s1, s1_lvl, y1, r, lvl, x), write) && + (s1_lvl >= 0 && true) && + (acc(Join(s2, s2_lvl, y2, r, lvl, x), write) && (s2_lvl >= 0 && true)) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Join(s1, s1_lvl, y1, r, lvl, x), write) && + (s1_lvl >= 0 && true) && + (acc(Join(s2, s2_lvl, y2, r, lvl, x), write) && (s2_lvl >= 0 && true)) + + // ------- inhale END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s1, s1_lvl, y1, r, lvl, x), write) && + (s1_lvl >= 0 && Join_state(s1, s1_lvl, y1, r, lvl, x) == 0)) && + acc(Join_SET(s1), write) && + lvl < s1_lvl + + // ------- exhale END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s2, s2_lvl, y2, r, lvl, x), write) && + (s2_lvl >= 0 && Join_state(s2, s2_lvl, y2, r, lvl, x) == 0)) && + acc(Join_SET(s2), write) && + lvl < s2_lvl + + // ------- exhale END -------------- + + + // ------- call:wait BEGIN --------- + + assert true + label pre_call5 + assert $_levelVar_2 >= 0 && $_levelVar_2 > lvl && $_levelVar_2 > s1_lvl + assert true + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_JOIN(s1), write) && + (acc(Join(s1, s1_lvl, y1, r, lvl, x), write) && (s1_lvl >= 0 && true)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:wait@54.3) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize5](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize5](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize5](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize5](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize5](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:wait@54.3) END + + inhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s1, s1_lvl, y1, r, lvl, x), write) && + (s1_lvl >= 0 && Join_state(s1, s1_lvl, y1, r, lvl, x) == 1)) + + // ------- call:wait END ----------- + + + // ------- call:wait BEGIN --------- + + assert true + label pre_call6 + assert $_levelVar_2 >= 0 && $_levelVar_2 > lvl && $_levelVar_2 > s2_lvl + assert true + exhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_JOIN(s2), write) && + (acc(Join(s2, s2_lvl, y2, r, lvl, x), write) && (s2_lvl >= 0 && true)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:wait@55.3) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize6](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize6](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize6](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize6](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize6](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (within call:wait@55.3) END + + inhale acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s2, s2_lvl, y2, r, lvl, x), write) && + (s2_lvl >= 0 && Join_state(s2, s2_lvl, y2, r, lvl, x) == 1)) + + // ------- call:wait END ----------- + + + // ------- apply BEGIN ------------- + + CONT_join(r, 1, 1) + + // ------- apply END --------------- + + + // ------- unfold BEGIN ------------ + + n := Counter_state(r, lvl, x) + assert lvl >= 0 && true + unfold acc(Counter(r, lvl, x), write) + + // ------- Inferring interference context Counter,Join,LevelDummy (recompute interference context after unfold) BEGIN + + label pre_infer0 + + // Inferring interference all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_infer0](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer0](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_infer0](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_infer0](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_infer0](Counter_state($r, $lvl, $x))) + + // Inferring interference all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(1, $s, $alvl, $y, $r, $lvl, $x)) } + none < old[pre_infer0](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(1, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == old[pre_infer0](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_infer0](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_infer0](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(1, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_infer0](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Inferring interference all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(1, $r, $lvl)) } + none < old[pre_infer0](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(1, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_infer0](LevelDummy_state($r, $lvl)) || false)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_infer0](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(1, $r, $lvl) == + old[pre_infer0](LevelDummy_state($r, $lvl))) + + // ------- Inferring interference context Counter,Join,LevelDummy (recompute interference context after unfold) END + + + // ------- unfold END -------------- + + + // ------- apply BEGIN ------------- + + CONT_max1(r, 2, n) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + AUTH_max1(r, n, 2) + + // ------- apply END --------------- + + + // ------- fold BEGIN -------------- + + fold acc(Counter(r, lvl, x), write) + assert lvl >= 0 && Counter_state(r, lvl, x) == 2 + + // ------- fold END ---------------- + + + // skip; + + + // ------- Stabilising regions Counter,Join,LevelDummy (after skip@68.3) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize7](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(2, $s, $alvl, $y, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(2, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize7](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize7](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(2, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(2, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize7](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(2, $r, $lvl)) } + none < old[pre_stabilize7](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(2, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize7](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize7](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(2, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize7](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(2, $r, $lvl) == + old[pre_stabilize7](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after skip@68.3) END + +} + +method CONT_split(r: Ref, n: Int, m: Int) + requires Counter_CONT_T(r, n + m) && acc(Counter_CONT(r, n + m), write) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 + ensures Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, m) && acc(Counter_CONT(r, m), write)) +{ + var $_levelVar_3: Int + inhale $_levelVar_3 >= 0 + assert $_levelVar_3 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method CONT_join(r: Ref, n: Int, m: Int) + requires Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, m) && acc(Counter_CONT(r, m), write)) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 + ensures Counter_CONT_T(r, n + m) && acc(Counter_CONT(r, n + m), write) +{ + var $_levelVar_4: Int + inhale $_levelVar_4 >= 0 + assert $_levelVar_4 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method CONT_false1(r: Ref, n: Int) + requires Counter_CONT_T(r, 0 - 1) && acc(Counter_CONT(r, 0 - 1), write) && + (Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write)) && + 0 < n + ensures false +{ + var $_levelVar_5: Int + inhale $_levelVar_5 >= 0 + assert $_levelVar_5 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method CONT_max1(r: Ref, n: Int, m: Int) + requires Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, 0 - 1 - m) && acc(Counter_CONT(r, 0 - 1 - m), write)) && + 0 <= n && + 0 <= m + ensures Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, 0 - 1 - m) && acc(Counter_CONT(r, 0 - 1 - m), write)) + ensures n <= m +{ + var $_levelVar_6: Int + inhale $_levelVar_6 >= 0 + assert $_levelVar_6 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method AUTH_split(r: Ref, n: Int, m: Int) + requires Counter_AUTH_T(r, n + m) && acc(Counter_AUTH(r, n + m), write) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 + ensures Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, m) && acc(Counter_AUTH(r, m), write)) +{ + var $_levelVar_7: Int + inhale $_levelVar_7 >= 0 + assert $_levelVar_7 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method AUTH_join(r: Ref, n: Int, m: Int) + requires Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, m) && acc(Counter_AUTH(r, m), write)) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 + ensures Counter_AUTH_T(r, n + m) && acc(Counter_AUTH(r, n + m), write) +{ + var $_levelVar_8: Int + inhale $_levelVar_8 >= 0 + assert $_levelVar_8 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method AUTH_false1(r: Ref, n: Int) + requires Counter_AUTH_T(r, 0 - 1) && acc(Counter_AUTH(r, 0 - 1), write) && + (Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write)) && + 0 < n + ensures false +{ + var $_levelVar_9: Int + inhale $_levelVar_9 >= 0 + assert $_levelVar_9 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method AUTH_max1(r: Ref, n: Int, m: Int) + requires Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, 0 - 1 - m) && acc(Counter_AUTH(r, 0 - 1 - m), write)) && + 0 <= n && + 0 <= m + ensures Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, 0 - 1 - m) && acc(Counter_AUTH(r, 0 - 1 - m), write)) + ensures n <= m +{ + var $_levelVar_10: Int + inhale $_levelVar_10 >= 0 + assert $_levelVar_10 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale false +} + +method makeCounter(lvl: Int) returns (r: Ref, x: Ref) + requires lvl >= 0 + ensures acc(Counter(r, lvl, x), write) && + (lvl >= 0 && Counter_state(r, lvl, x) == 0) && + acc(Counter_INCR(r), write) && + (Counter_AUTH_T(r, 0 - 1) && acc(Counter_AUTH(r, 0 - 1), write)) +{ + var $_levelVar_11: Int + inhale $_levelVar_11 >= 0 + assert $_levelVar_11 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(x.$cell_$value, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$cell_$value := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after heap-write@141.3) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize8](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(3, $s, $alvl, $y, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(3, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize8](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize8](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(3, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(3, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize8](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(3, $r, $lvl)) } + none < old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(3, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize8](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(3, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(3, $r, $lvl) == + old[pre_stabilize8](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after heap-write@141.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(Counter_INCR(r), write) && + (Counter_CONT_T(r, 0 - 1) && acc(Counter_CONT(r, 0 - 1), write)) && + (Counter_AUTH_T(r, 0 - 1) && acc(Counter_AUTH(r, 0 - 1), write)) + + // ------- inhale END -------------- + + + // ------- apply BEGIN ------------- + + AUTH_split(r, 0 - 1, 0) + + // ------- apply END --------------- + + + // ------- fold BEGIN -------------- + + fold acc(Counter(r, lvl, x), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method incr(r: Ref, lvl: Int, x: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) + ensures acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) +{ + var b: Bool + var v: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + var $_levelVar_20: Int + var $_levelVar_21: Int + var $_levelVar_22: Int + var $_levelVar_23: Int + inhale $_levelVar_12 >= 0 && $_levelVar_12 > lvl + assert $_levelVar_12 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + assert acc(Counter(r, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize9 + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(4, r, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(4, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Counter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize9](Counter_state(r, lvl, x)) || + Counter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize9](Counter_state(r, lvl, x)) && + Counter_sk_$_action_m(r, lvl, x) == $$_m && + true && + perm(Counter_INCR(r)) <= write - 1 / 2))) + quasihavoc Counter(r, lvl, x) + inhale (Counter_state(r, lvl, x) in + Counter_interferenceSet_hf(4, r, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(4, r, lvl, x) == + old[pre_stabilize9](Counter_state(r, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_12 > lvl + $_levelVar_13 := lvl + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$cell_$value + + // ------- heap-read END ----------- + + fold acc(Counter(r, lvl, x), write) + assert Counter_state(r, lvl, x) == + old[pre_open_region0](Counter_state(r, lvl, x)) + $_levelVar_14 := $_levelVar_12 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@160.5) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize10](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize10](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize10](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize10](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(5, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize10](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(5, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize10](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize10](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(5, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(5, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize10](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(5, $r, $lvl)) } + none < old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(5, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize10](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(5, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(5, $r, $lvl) == + old[pre_stabilize10](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@160.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Counter_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_14 > lvl + $_levelVar_15 := lvl + exhale acc(Counter_INCR(r), 1 / 2) + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Counter_INCR(r), 1 / 2) + exhale acc(Counter(r, lvl, x), perm(Counter(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call7 + assert $_levelVar_15 >= 0 + assert true + exhale acc(x.$cell_$value, write) && true + b := havoc_Bool() + inhale (old[pre_call7](x.$cell_$value) == v ? + b && (acc(x.$cell_$value, write) && x.$cell_$value == v + 1) : + !b && + (acc(x.$cell_$value, write) && + x.$cell_$value == old[pre_call7](x.$cell_$value))) + + // ------- call:CAS END ------------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- apply BEGIN ------------- + + AUTH_join(r, v, 1) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + CONT_split(r, 0 - 1 - (v + 1), 1) + + // ------- apply END --------------- + + assert $_levelVar_15 == $_levelVar_15 + } + $_levelVar_16 := $_levelVar_15 + + // ------- if-then-else END -------- + + fold acc(Counter(r, lvl, x), write) + assert old[pre_use_atomic0](Counter_state(r, lvl, x)) == + Counter_state(r, lvl, x) || + 1 / 2 <= 1 / 2 + $_levelVar_17 := $_levelVar_14 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after use-atomic@166.5) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize11](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize11](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize11](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(6, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize11](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(6, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize11](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize11](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(6, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(6, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize11](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(6, $r, $lvl)) } + none < old[pre_stabilize11](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(6, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize11](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize11](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(6, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize11](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(6, $r, $lvl) == + old[pre_stabilize11](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after use-atomic@166.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (!b) + invariant acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Counter_INCR(r), 1 / 2) + invariant (!b ? + Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write) : + Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) + { + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(Counter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(Counter_atomicity_context_fp($r, $lvl, $x))) ==> + Counter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](Counter_atomicity_context_hf($r, $lvl, $x))) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($s, + $alvl, $y, $r, $lvl, $x), old[preWhile0](perm(Join_atomicity_context_fp($s, + $alvl, $y, $r, $lvl, $x))))) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($s, $alvl, $y, $r, $lvl, $x) } + none < + old[preWhile0](perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, + $x))) ==> + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x) == + old[preWhile0](Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_atomicity_context_fp($r, + $lvl), old[preWhile0](perm(LevelDummy_atomicity_context_fp($r, $lvl))))) + inhale (forall $r: Ref, $lvl: Int :: + { LevelDummy_atomicity_context_df($r, $lvl) } + none < + old[preWhile0](perm(LevelDummy_atomicity_context_fp($r, $lvl))) ==> + LevelDummy_atomicity_context_hf($r, $lvl) == + old[preWhile0](LevelDummy_atomicity_context_hf($r, $lvl))) + assert acc(Counter(r, lvl, x), write) + + // ------- Stabilising regions Counter (infer context for open-region) BEGIN + + label pre_stabilize12 + + // Stabilising single instance of region Counter + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(7, r, lvl, x)) } + ($$_m in Counter_interferenceSet_hf(7, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Counter_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Counter_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize12](Counter_state(r, lvl, x)) || + Counter_sk_$_action_n(r, lvl, x) == + old[pre_stabilize12](Counter_state(r, lvl, x)) && + Counter_sk_$_action_m(r, lvl, x) == $$_m && + true && + perm(Counter_INCR(r)) <= write - 1 / 2))) + quasihavoc Counter(r, lvl, x) + inhale (Counter_state(r, lvl, x) in + Counter_interferenceSet_hf(7, r, lvl, x)) + + // havoc performed by other front resource + + inhale Counter_interferenceReference_hf(7, r, lvl, x) == + old[pre_stabilize12](Counter_state(r, lvl, x)) + + // ------- Stabilising regions Counter (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_17 > lvl + $_levelVar_18 := lvl + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$cell_$value + + // ------- heap-read END ----------- + + fold acc(Counter(r, lvl, x), write) + assert Counter_state(r, lvl, x) == + old[pre_open_region](Counter_state(r, lvl, x)) + $_levelVar_19 := $_levelVar_17 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@160.5) BEGIN + + label pre_stabilize13 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(8, $r, $lvl, $x)) } + none < old[pre_stabilize13](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(8, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize13](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize13](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(8, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(8, $r, $lvl, $x) == + old[pre_stabilize13](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(8, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize13](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(8, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < + perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize13](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == + old[pre_stabilize13](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(8, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(8, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize13](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(8, $r, $lvl)) } + none < old[pre_stabilize13](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(8, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize13](LevelDummy_state($r, $lvl)) || + false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize13](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(8, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize13](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(8, $r, $lvl) == + old[pre_stabilize13](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@160.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(Counter_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_19 > lvl + $_levelVar_20 := lvl + exhale acc(Counter_INCR(r), 1 / 2) + unfold acc(Counter(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Counter_INCR(r), 1 / 2) + exhale acc(Counter(r, lvl, x), perm(Counter(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call8 + assert $_levelVar_20 >= 0 + assert true + exhale acc(x.$cell_$value, write) && true + b := havoc_Bool() + inhale (old[pre_call8](x.$cell_$value) == v ? + b && (acc(x.$cell_$value, write) && x.$cell_$value == v + 1) : + !b && + (acc(x.$cell_$value, write) && + x.$cell_$value == old[pre_call8](x.$cell_$value))) + + // ------- call:CAS END ------------ + + + // ------- if-then-else BEGIN ------ + + if (b) { + + // ------- apply BEGIN ------------- + + AUTH_join(r, v, 1) + + // ------- apply END --------------- + + + // ------- apply BEGIN ------------- + + CONT_split(r, 0 - 1 - (v + 1), 1) + + // ------- apply END --------------- + + assert $_levelVar_20 == $_levelVar_20 + } + $_levelVar_21 := $_levelVar_20 + + // ------- if-then-else END -------- + + fold acc(Counter(r, lvl, x), write) + assert old[pre_use_atomic](Counter_state(r, lvl, x)) == + Counter_state(r, lvl, x) || + 1 / 2 <= 1 / 2 + $_levelVar_22 := $_levelVar_19 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after use-atomic@166.5) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize14](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize14](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize14](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize14](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(9, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize14](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(9, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < + perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize14](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == + old[pre_stabilize14](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(9, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(9, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize14](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(9, $r, $lvl)) } + none < old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(9, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize14](LevelDummy_state($r, $lvl)) || + false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(9, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(9, $r, $lvl) == + old[pre_stabilize14](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after use-atomic@166.5) END + + assert $_levelVar_22 == $_levelVar_17 + } + $_levelVar_23 := $_levelVar_17 + + // ------- while END --------------- + +} + +method make_join(alvl: Int, r: Ref, lvl: Int, x: Ref) + returns (s: Ref, y: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + lvl < alvl + ensures acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0) && + acc(Join_SET(s), write) && + acc(Join_JOIN(s), write) && + alvl > lvl +{ + var $_levelVar_24: Int + inhale $_levelVar_24 >= 0 && $_levelVar_24 > lvl + assert $_levelVar_24 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(y.$fjcell_$value, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + y.$fjcell_$value := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after heap-write@209.3) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(10, $r, $lvl, $x)) } + none < old[pre_stabilize15](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(10, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize15](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(10, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(10, $r, $lvl, $x) == + old[pre_stabilize15](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(10, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize15](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(10, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize15](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize15](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(10, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(10, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize15](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(10, $r, $lvl)) } + none < old[pre_stabilize15](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(10, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize15](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize15](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(10, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize15](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(10, $r, $lvl) == + old[pre_stabilize15](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after heap-write@209.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(Join_SET(s), write) && acc(Join_JOIN(s), write) + + // ------- inhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(y.$fjcell_$_payload, write) && y.$fjcell_$_payload == true + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Join(s, alvl, y, r, lvl, x), write) + assert alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0 + + // ------- fold END ---------------- + +} + +method set_to_one(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, x: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0)) && + acc(Join_SET(s), write) && + lvl < alvl + ensures acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 1) +{ + var $_levelVar_25: Int + var $_levelVar_26: Int + var $_levelVar_27: Int + inhale $_levelVar_25 >= 0 && $_levelVar_25 > lvl && $_levelVar_25 > alvl + assert $_levelVar_25 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + assert acc(Join(s, alvl, y, r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for use-atomic) BEGIN + + label pre_stabilize16 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(s, alvl, y, r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(11, s, alvl, y, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(11, s, alvl, y, r, lvl, x)) == + ((none < perm(s.$diamond) && + none < perm(Join_atomicity_context_fp(s, alvl, y, r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(s, alvl, y, r, lvl, x))) && + ($$_m == old[pre_stabilize16](Join_state(s, alvl, y, r, lvl, x)) || + 0 == old[pre_stabilize16](Join_state(s, alvl, y, r, lvl, x)) && + 1 == $$_m && + true && + perm(Join_SET(s)) == none))) + quasihavoc Join(s, alvl, y, r, lvl, x) + inhale (Join_state(s, alvl, y, r, lvl, x) in + Join_interferenceSet_hf(11, s, alvl, y, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(11, s, alvl, y, r, lvl, x) == + old[pre_stabilize16](Join_state(s, alvl, y, r, lvl, x)) + + // ------- Stabilising regions Join (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic2 + assert perm(Join_atomicity_context_fp(s, alvl, y, r, lvl, x)) == none + assert $_levelVar_25 > alvl + $_levelVar_26 := alvl + exhale acc(Join_SET(s), write) + unfold acc(Join(s, alvl, y, r, lvl, x), write) + label transitionPre4 + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + + // no additional linking required + + + // havoc performed by other front resource + + inhale y.$fjcell_$value == 1 && y.$fjcell_$_payload ==> + Counter_interferenceReference_hf(11, r, lvl, x) == + old[transitionPre4](Counter_state(r, lvl, x)) + inhale acc(Join_SET(s), write) + exhale acc(Join(s, alvl, y, r, lvl, x), perm(Join(s, alvl, y, r, lvl, x))) + + // ------- heap-write BEGIN -------- + + y.$fjcell_$value := 1 + + // ------- heap-write END ---------- + + + // ------- exhale BEGIN ------------ + + exhale acc(y.$fjcell_$_payload, write) && true + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(y.$fjcell_$_payload, write) && y.$fjcell_$_payload == true + + // ------- inhale END -------------- + + fold acc(Join(s, alvl, y, r, lvl, x), write) + assert old[pre_use_atomic2](Join_state(s, alvl, y, r, lvl, x)) == + Join_state(s, alvl, y, r, lvl, x) || + 0 == old[pre_use_atomic2](Join_state(s, alvl, y, r, lvl, x)) && + 1 == Join_state(s, alvl, y, r, lvl, x) + $_levelVar_27 := $_levelVar_25 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after use-atomic@221.3) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(12, $r, $lvl, $x)) } + none < old[pre_stabilize17](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(12, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize17](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize17](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(12, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(12, $r, $lvl, $x) == + old[pre_stabilize17](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(12, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize17](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(12, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize17](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize17](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(12, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(12, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize17](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(12, $r, $lvl)) } + none < old[pre_stabilize17](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(12, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize17](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize17](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(12, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize17](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(12, $r, $lvl) == + old[pre_stabilize17](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after use-atomic@221.3) END + +} + +method wait(s: Ref, alvl: Int, y: Ref, r: Ref, lvl: Int, x: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_JOIN(s), write) && + (acc(Join(s, alvl, y, r, lvl, x), write) && (alvl >= 0 && true)) + ensures acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 1)) +{ + var v: Int + var $_levelVar_28: Int + var $_levelVar_29: Int + var $_levelVar_30: Int + var $_levelVar_31: Int + var $_levelVar_32: Int + var $_levelVar_33: Int + var $_levelVar_34: Int + var $_levelVar_35: Int + inhale $_levelVar_28 >= 0 && $_levelVar_28 > lvl && $_levelVar_28 > alvl + assert $_levelVar_28 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + assert acc(Join(s, alvl, y, r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize18 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(s, alvl, y, r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(13, s, alvl, y, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(13, s, alvl, y, r, lvl, x)) == + ((none < perm(s.$diamond) && + none < perm(Join_atomicity_context_fp(s, alvl, y, r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(s, alvl, y, r, lvl, x))) && + ($$_m == old[pre_stabilize18](Join_state(s, alvl, y, r, lvl, x)) || + 0 == old[pre_stabilize18](Join_state(s, alvl, y, r, lvl, x)) && + 1 == $$_m && + true && + perm(Join_SET(s)) == none))) + quasihavoc Join(s, alvl, y, r, lvl, x) + inhale (Join_state(s, alvl, y, r, lvl, x) in + Join_interferenceSet_hf(13, s, alvl, y, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(13, s, alvl, y, r, lvl, x) == + old[pre_stabilize18](Join_state(s, alvl, y, r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_28 > alvl + $_levelVar_29 := alvl + unfold acc(Join(s, alvl, y, r, lvl, x), write) + label transitionPre5 + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + + // no additional linking required + + + // havoc performed by other front resource + + inhale y.$fjcell_$value == 1 && y.$fjcell_$_payload ==> + Counter_interferenceReference_hf(13, r, lvl, x) == + old[transitionPre5](Counter_state(r, lvl, x)) + + // ------- heap-read BEGIN --------- + + v := y.$fjcell_$value + + // ------- heap-read END ----------- + + + // ------- if-then-else BEGIN ------ + + if (!(v == 0)) { + + // ------- fold BEGIN -------------- + + fold acc(Join(s, alvl, y, r, lvl, x), write) + assert alvl >= 0 && true + + // ------- fold END ---------------- + + + // ------- use-region-interpretation BEGIN + + unfold acc(Join(s, alvl, y, r, lvl, x), write) + inhale perm(Join_JOIN(s)) <= write + fold acc(Join(s, alvl, y, r, lvl, x), write) + + // ------- Inferring interference context Counter,Join,LevelDummy (infer interference context after use-region interpretation) BEGIN + + label pre_infer + + // Inferring interference all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(14, $r, $lvl, $x)) } + none < old[pre_infer](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(14, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_infer](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_infer](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(14, $r, $lvl, $x) == + old[pre_infer](Counter_state($r, $lvl, $x))) + + // Inferring interference all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(14, $s, $alvl, $y, $r, $lvl, $x)) } + none < old[pre_infer](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in + Join_interferenceSet_hf(14, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < + perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == old[pre_infer](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_infer](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_infer](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(14, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_infer](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Inferring interference all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(14, $r, $lvl)) } + none < old[pre_infer](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(14, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_infer](LevelDummy_state($r, $lvl)) || false)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_infer](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(14, $r, $lvl) == + old[pre_infer](LevelDummy_state($r, $lvl))) + + // ------- Inferring interference context Counter,Join,LevelDummy (infer interference context after use-region interpretation) END + + + // ------- use-region-interpretation END + + + // ------- unfold BEGIN ------------ + + assert alvl >= 0 && true + unfold acc(Join(s, alvl, y, r, lvl, x), write) + + // ------- Inferring interference context Counter,Join,LevelDummy (recompute interference context after unfold) BEGIN + + label pre_infer2 + + // Inferring interference all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(15, $r, $lvl, $x)) } + none < old[pre_infer2](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(15, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer2](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_infer2](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_infer2](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(15, $r, $lvl, $x) == + old[pre_infer2](Counter_state($r, $lvl, $x))) + + // Inferring interference all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(15, $s, $alvl, $y, $r, $lvl, $x)) } + none < old[pre_infer2](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in + Join_interferenceSet_hf(15, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < + perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == old[pre_infer2](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_infer2](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_infer2](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(15, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_infer2](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Inferring interference all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(15, $r, $lvl)) } + none < old[pre_infer2](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(15, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_infer2](LevelDummy_state($r, $lvl)) || false)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_infer2](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(15, $r, $lvl) == + old[pre_infer2](LevelDummy_state($r, $lvl))) + + // ------- Inferring interference context Counter,Join,LevelDummy (recompute interference context after unfold) END + + + // ------- unfold END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(y.$fjcell_$_payload, write) && y.$fjcell_$_payload == true + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(y.$fjcell_$_payload, write) && y.$fjcell_$_payload == false + + // ------- inhale END -------------- + + assert $_levelVar_29 == $_levelVar_29 + } + $_levelVar_30 := $_levelVar_29 + + // ------- if-then-else END -------- + + fold acc(Join(s, alvl, y, r, lvl, x), write) + assert Join_state(s, alvl, y, r, lvl, x) == + old[pre_open_region2](Join_state(s, alvl, y, r, lvl, x)) + $_levelVar_31 := $_levelVar_28 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@240.5) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(16, $r, $lvl, $x)) } + none < old[pre_stabilize19](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(16, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize19](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize19](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(16, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(16, $r, $lvl, $x) == + old[pre_stabilize19](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(16, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize19](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(16, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize19](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize19](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(16, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(16, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize19](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(16, $r, $lvl)) } + none < old[pre_stabilize19](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(16, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize19](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize19](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(16, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize19](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(16, $r, $lvl) == + old[pre_stabilize19](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@240.5) END + + + // ------- while BEGIN ------------- + + label preWhile + while (v == 0) + invariant acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (acc(Join(s, alvl, y, r, lvl, x), write) && (alvl >= 0 && true)) + invariant (v == 0 ? + acc(Join_JOIN(s), write) : + Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write) && + acc(Counter_INCR(r), 1 / 2) && + Join_state(s, alvl, y, r, lvl, x) == 1) + { + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(Counter_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Counter_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(Counter_atomicity_context_fp($r, $lvl, $x))) ==> + Counter_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](Counter_atomicity_context_hf($r, $lvl, $x))) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($s, + $alvl, $y, $r, $lvl, $x), old[preWhile](perm(Join_atomicity_context_fp($s, + $alvl, $y, $r, $lvl, $x))))) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($s, $alvl, $y, $r, $lvl, $x) } + none < + old[preWhile](perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, + $x))) ==> + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x) == + old[preWhile](Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_atomicity_context_fp($r, + $lvl), old[preWhile](perm(LevelDummy_atomicity_context_fp($r, $lvl))))) + inhale (forall $r: Ref, $lvl: Int :: + { LevelDummy_atomicity_context_df($r, $lvl) } + none < + old[preWhile](perm(LevelDummy_atomicity_context_fp($r, $lvl))) ==> + LevelDummy_atomicity_context_hf($r, $lvl) == + old[preWhile](LevelDummy_atomicity_context_hf($r, $lvl))) + assert acc(Join(s, alvl, y, r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize20 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(s, alvl, y, r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(17, s, alvl, y, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(17, s, alvl, y, r, lvl, x)) == + ((none < perm(s.$diamond) && + none < perm(Join_atomicity_context_fp(s, alvl, y, r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(s, alvl, y, r, lvl, x))) && + ($$_m == old[pre_stabilize20](Join_state(s, alvl, y, r, lvl, x)) || + 0 == old[pre_stabilize20](Join_state(s, alvl, y, r, lvl, x)) && + 1 == $$_m && + true && + perm(Join_SET(s)) == none))) + quasihavoc Join(s, alvl, y, r, lvl, x) + inhale (Join_state(s, alvl, y, r, lvl, x) in + Join_interferenceSet_hf(17, s, alvl, y, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(17, s, alvl, y, r, lvl, x) == + old[pre_stabilize20](Join_state(s, alvl, y, r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region3 + assert $_levelVar_31 > alvl + $_levelVar_32 := alvl + unfold acc(Join(s, alvl, y, r, lvl, x), write) + label transitionPre6 + quasihavoc Counter_interferenceContext_fp(r, lvl, x) + + // no additional linking required + + + // havoc performed by other front resource + + inhale y.$fjcell_$value == 1 && y.$fjcell_$_payload ==> + Counter_interferenceReference_hf(17, r, lvl, x) == + old[transitionPre6](Counter_state(r, lvl, x)) + + // ------- heap-read BEGIN --------- + + v := y.$fjcell_$value + + // ------- heap-read END ----------- + + + // ------- if-then-else BEGIN ------ + + if (!(v == 0)) { + + // ------- fold BEGIN -------------- + + fold acc(Join(s, alvl, y, r, lvl, x), write) + assert alvl >= 0 && true + + // ------- fold END ---------------- + + + // ------- use-region-interpretation BEGIN + + unfold acc(Join(s, alvl, y, r, lvl, x), write) + inhale perm(Join_JOIN(s)) <= write + fold acc(Join(s, alvl, y, r, lvl, x), write) + + // ------- Inferring interference context Counter,Join,LevelDummy (infer interference context after use-region interpretation) BEGIN + + label pre_infer3 + + // Inferring interference all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(18, $r, $lvl, $x)) } + none < old[pre_infer3](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(18, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer3](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_infer3](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_infer3](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(18, $r, $lvl, $x) == + old[pre_infer3](Counter_state($r, $lvl, $x))) + + // Inferring interference all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(18, $s, $alvl, $y, $r, $lvl, $x)) } + none < old[pre_infer3](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in + Join_interferenceSet_hf(18, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < + perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_infer3](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_infer3](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_infer3](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(18, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_infer3](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Inferring interference all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(18, $r, $lvl)) } + none < old[pre_infer3](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(18, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_infer3](LevelDummy_state($r, $lvl)) || false)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_infer3](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(18, $r, $lvl) == + old[pre_infer3](LevelDummy_state($r, $lvl))) + + // ------- Inferring interference context Counter,Join,LevelDummy (infer interference context after use-region interpretation) END + + + // ------- use-region-interpretation END + + + // ------- unfold BEGIN ------------ + + assert alvl >= 0 && true + unfold acc(Join(s, alvl, y, r, lvl, x), write) + + // ------- Inferring interference context Counter,Join,LevelDummy (recompute interference context after unfold) BEGIN + + label pre_infer4 + + // Inferring interference all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(19, $r, $lvl, $x)) } + none < old[pre_infer4](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(19, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_infer4](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_infer4](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_infer4](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(19, $r, $lvl, $x) == + old[pre_infer4](Counter_state($r, $lvl, $x))) + + // Inferring interference all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(19, $s, $alvl, $y, $r, $lvl, $x)) } + none < old[pre_infer4](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in + Join_interferenceSet_hf(19, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < + perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_infer4](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_infer4](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_infer4](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(19, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_infer4](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Inferring interference all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(19, $r, $lvl)) } + none < old[pre_infer4](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(19, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_infer4](LevelDummy_state($r, $lvl)) || false)))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_infer4](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(19, $r, $lvl) == + old[pre_infer4](LevelDummy_state($r, $lvl))) + + // ------- Inferring interference context Counter,Join,LevelDummy (recompute interference context after unfold) END + + + // ------- unfold END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(y.$fjcell_$_payload, write) && y.$fjcell_$_payload == true + + // ------- exhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(y.$fjcell_$_payload, write) && + y.$fjcell_$_payload == false + + // ------- inhale END -------------- + + assert $_levelVar_32 == $_levelVar_32 + } + $_levelVar_33 := $_levelVar_32 + + // ------- if-then-else END -------- + + fold acc(Join(s, alvl, y, r, lvl, x), write) + assert Join_state(s, alvl, y, r, lvl, x) == + old[pre_open_region3](Join_state(s, alvl, y, r, lvl, x)) + $_levelVar_34 := $_levelVar_31 + + // ------- open-region END --------- + + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@240.5) BEGIN + + label pre_stabilize21 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Counter_interferenceSet_df(20, $r, $lvl, $x)) } + none < old[pre_stabilize21](perm(Counter($r, $lvl, $x))) ==> + ($$_m in Counter_interferenceSet_hf(20, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Counter_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize21](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize21](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(Counter($r, $lvl, $x))) ==> + (Counter_state($r, $lvl, $x) in + Counter_interferenceSet_hf(20, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(Counter($r, $lvl, $x))) ==> + Counter_interferenceReference_hf(20, $r, $lvl, $x) == + old[pre_stabilize21](Counter_state($r, $lvl, $x))) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in + Join_interferenceSet_df(20, $s, $alvl, $y, $r, $lvl, $x)) } + none < + old[pre_stabilize21](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + ($$_m in + Join_interferenceSet_hf(20, $s, $alvl, $y, $r, $lvl, $x)) == + ((none < perm($s.$diamond) && + none < + perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize21](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == + old[pre_stabilize21](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == $$_m && + true && + perm(Join_SET($s)) == none)))) + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_interferenceSet_hf(20, $s, $alvl, $y, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, + $alvl, $y, $r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + Join_interferenceReference_hf(20, $s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize21](Join_state($s, $alvl, $y, $r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(20, $r, $lvl)) } + none < old[pre_stabilize21](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(20, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize21](LevelDummy_state($r, $lvl)) || + false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize21](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(20, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize21](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(20, $r, $lvl) == + old[pre_stabilize21](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Counter,Join,LevelDummy (after open-region@240.5) END + + assert $_levelVar_34 == $_levelVar_31 + } + $_levelVar_35 := $_levelVar_31 + + // ------- while END --------------- + +} + +method $_Counter_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale acc(x.$cell_$value, write) && true && 0 <= x.$cell_$value && + (Counter_CONT_T(r, 0 - 1 - x.$cell_$value) && + acc(Counter_CONT(r, 0 - 1 - x.$cell_$value), write)) && + (Counter_AUTH_T(r, x.$cell_$value) && + acc(Counter_AUTH(r, x.$cell_$value), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize22 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize22](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize22](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize22](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize22](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize22](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize22](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize22](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize22](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of region interpretation) END + + assert acc(x.$cell_$value, write) && true && 0 <= x.$cell_$value && + (Counter_CONT_T(r, 0 - 1 - x.$cell_$value) && + acc(Counter_CONT(r, 0 - 1 - x.$cell_$value), write)) && + (Counter_AUTH_T(r, x.$cell_$value) && + acc(Counter_AUTH(r, x.$cell_$value), write)) +} + +method $_Counter_action_transitivity_check() +{ + var INCR: Perm + var CONT: Set[Int] + var AUTH: Set[Int] + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && true && + 1 / 2 >= INCR + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && true && + 1 / 2 >= INCR + assert aState == cState || + aState == aState && cState == cState && true && 1 / 2 >= INCR +} + +method $_Join_interpretation_stability_check(s: Ref, alvl: Int, y: Ref, r: Ref, + lvl: Int, x: Ref) +{ + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale acc(y.$fjcell_$value, write) && true && + (y.$fjcell_$value == 0 || y.$fjcell_$value == 1) && + (acc(y.$fjcell_$_payload, write) && true) && + (y.$fjcell_$value == 1 ? + (y.$fjcell_$_payload ? + acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && lvl < alvl && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) : + acc(Join_JOIN(s), write)) : + true) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize23 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize23](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize23](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize23](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize23](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize23](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize23](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize23](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize23](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of region interpretation) END + + assert acc(y.$fjcell_$value, write) && true && + (y.$fjcell_$value == 0 || y.$fjcell_$value == 1) && + (acc(y.$fjcell_$_payload, write) && true) && + (y.$fjcell_$value == 1 ? + (y.$fjcell_$_payload ? + acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && lvl < alvl && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) : + acc(Join_JOIN(s), write)) : + true) +} + +method $_Join_action_transitivity_check() +{ + var SET: Bool + var JOIN: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && SET + inhale bState == cState || 0 == bState && 1 == cState && true && SET + assert aState == cState || 0 == aState && 1 == cState && true && SET +} + +method $_LevelDummy_interpretation_stability_check(r: Ref, lvl: Int) +{ + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale true + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize24 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize24](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize24](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize24](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize24](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize24](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize24](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize24](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize24](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of region interpretation) END + + assert true +} + +method $_LevelDummy_action_transitivity_check() +{ + var LevelDummyG: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState + inhale bState == cState + assert aState == cState +} + +method $_thread_incr_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref, s: Ref, alvl: Int, y: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0)) && + acc(Join_SET(s), write) && + lvl < alvl +{ + var $_levelVar_36: Int + inhale $_levelVar_36 >= 0 && $_levelVar_36 > lvl && $_levelVar_36 > alvl + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize25 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize25](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize25](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize25](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize25](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize25](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize25](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize25](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize25](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0)) && + acc(Join_SET(s), write) && + lvl < alvl +} + +method $_parallel_incr_condition_stability_precondition_check(lvl: Int, alvl: Int, + dummy: Ref, r: Ref, x: Ref) + requires acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true) && + (alvl > lvl && lvl >= 0) +{ + var $_levelVar_37: Int + var y1: Ref + var y2: Ref + var s1: Ref + var s2: Ref + var s1_lvl: Int + var s2_lvl: Int + inhale $_levelVar_37 >= 0 && $_levelVar_37 > alvl + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize26 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize26](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize26](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize26](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize26](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize26](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize26](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize26](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize26](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true) && + (alvl > lvl && lvl >= 0) +} + +method $_CONT_split_condition_stability_precondition_check(r: Ref, n: Int, m: Int) + requires Counter_CONT_T(r, n + m) && acc(Counter_CONT(r, n + m), write) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 +{ + var $_levelVar_38: Int + inhale $_levelVar_38 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize27 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize27](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize27](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize27](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize27](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize27](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize27](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize27](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize27](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_CONT_T(r, n + m) && acc(Counter_CONT(r, n + m), write) && + (0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0) +} + +method $_CONT_join_condition_stability_precondition_check(r: Ref, n: Int, m: Int) + requires Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, m) && acc(Counter_CONT(r, m), write)) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 +{ + var $_levelVar_39: Int + inhale $_levelVar_39 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize28 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize28](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize28](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize28](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize28](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize28](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize28](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize28](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize28](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, m) && acc(Counter_CONT(r, m), write)) && + (0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0) +} + +method $_CONT_false1_condition_stability_precondition_check(r: Ref, n: Int) + requires Counter_CONT_T(r, 0 - 1) && acc(Counter_CONT(r, 0 - 1), write) && + (Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write)) && + 0 < n +{ + var $_levelVar_40: Int + inhale $_levelVar_40 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize29 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize29](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize29](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize29](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize29](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize29](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize29](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize29](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize29](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_CONT_T(r, 0 - 1) && acc(Counter_CONT(r, 0 - 1), write) && + (Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write)) && + 0 < n +} + +method $_CONT_max1_condition_stability_precondition_check(r: Ref, n: Int, m: Int) + requires Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, 0 - 1 - m) && acc(Counter_CONT(r, 0 - 1 - m), write)) && + 0 <= n && + 0 <= m +{ + var $_levelVar_41: Int + inhale $_levelVar_41 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize30 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize30](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize30](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize30](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize30](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize30](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize30](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize30](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize30](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_CONT_T(r, n) && acc(Counter_CONT(r, n), write) && + (Counter_CONT_T(r, 0 - 1 - m) && acc(Counter_CONT(r, 0 - 1 - m), write)) && + 0 <= n && + 0 <= m +} + +method $_AUTH_split_condition_stability_precondition_check(r: Ref, n: Int, m: Int) + requires Counter_AUTH_T(r, n + m) && acc(Counter_AUTH(r, n + m), write) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 +{ + var $_levelVar_42: Int + inhale $_levelVar_42 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize31 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize31](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize31](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize31](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize31](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize31](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize31](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize31](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize31](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_AUTH_T(r, n + m) && acc(Counter_AUTH(r, n + m), write) && + (0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0) +} + +method $_AUTH_join_condition_stability_precondition_check(r: Ref, n: Int, m: Int) + requires Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, m) && acc(Counter_AUTH(r, m), write)) + requires 0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0 +{ + var $_levelVar_43: Int + inhale $_levelVar_43 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize32 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize32](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize32](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize32](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize32](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize32](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize32](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize32](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize32](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, m) && acc(Counter_AUTH(r, m), write)) && + (0 <= n && 0 <= m || n < 0 && 0 <= m && n + m < 0 || + m < 0 && 0 <= n && n + m < 0) +} + +method $_AUTH_false1_condition_stability_precondition_check(r: Ref, n: Int) + requires Counter_AUTH_T(r, 0 - 1) && acc(Counter_AUTH(r, 0 - 1), write) && + (Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write)) && + 0 < n +{ + var $_levelVar_44: Int + inhale $_levelVar_44 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize33 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize33](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize33](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize33](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize33](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize33](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize33](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize33](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize33](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_AUTH_T(r, 0 - 1) && acc(Counter_AUTH(r, 0 - 1), write) && + (Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write)) && + 0 < n +} + +method $_AUTH_max1_condition_stability_precondition_check(r: Ref, n: Int, m: Int) + requires Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, 0 - 1 - m) && acc(Counter_AUTH(r, 0 - 1 - m), write)) && + 0 <= n && + 0 <= m +{ + var $_levelVar_45: Int + inhale $_levelVar_45 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize34 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize34](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize34](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize34](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize34](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize34](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize34](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize34](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize34](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert Counter_AUTH_T(r, n) && acc(Counter_AUTH(r, n), write) && + (Counter_AUTH_T(r, 0 - 1 - m) && acc(Counter_AUTH(r, 0 - 1 - m), write)) && + 0 <= n && + 0 <= m +} + +method $_makeCounter_condition_stability_precondition_check(lvl: Int, r: Ref, + x: Ref) + requires lvl >= 0 +{ + var $_levelVar_46: Int + inhale $_levelVar_46 >= 0 + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize35 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize35](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize35](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize35](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize35](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize35](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize35](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize35](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize35](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert lvl >= 0 +} + +method $_incr_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) +{ + var $_levelVar_47: Int + var b: Bool + var v: Int + inhale $_levelVar_47 >= 0 && $_levelVar_47 > lvl + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize36 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize36](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize36](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize36](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize36](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize36](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize36](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize36](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize36](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_AUTH_T(r, 1) && acc(Counter_AUTH(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) +} + +method $_make_join_condition_stability_precondition_check(alvl: Int, r: Ref, + lvl: Int, x: Ref, s: Ref, y: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + lvl < alvl +{ + var $_levelVar_48: Int + inhale $_levelVar_48 >= 0 && $_levelVar_48 > lvl + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize37 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize37](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize37](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize37](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize37](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize37](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize37](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize37](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize37](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && lvl < alvl +} + +method $_set_to_one_condition_stability_precondition_check(s: Ref, alvl: Int, + y: Ref, r: Ref, lvl: Int, x: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0)) && + acc(Join_SET(s), write) && + lvl < alvl +{ + var $_levelVar_49: Int + inhale $_levelVar_49 >= 0 && $_levelVar_49 > lvl && $_levelVar_49 > alvl + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize38 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize38](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize38](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize38](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize38](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize38](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize38](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize38](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize38](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + (Counter_CONT_T(r, 1) && acc(Counter_CONT(r, 1), write)) && + acc(Counter_INCR(r), 1 / 2) && + (acc(Join(s, alvl, y, r, lvl, x), write) && + (alvl >= 0 && Join_state(s, alvl, y, r, lvl, x) == 0)) && + acc(Join_SET(s), write) && + lvl < alvl +} + +method $_wait_condition_stability_precondition_check(s: Ref, alvl: Int, y: Ref, + r: Ref, lvl: Int, x: Ref) + requires acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_JOIN(s), write) && + (acc(Join(s, alvl, y, r, lvl, x), write) && (alvl >= 0 && true)) +{ + var $_levelVar_50: Int + var v: Int + inhale $_levelVar_50 >= 0 && $_levelVar_50 > lvl && $_levelVar_50 > alvl + inhale acc(Counter_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Counter_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($s, + $alvl, $y, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize39 + + // Stabilising all instances of region Counter + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Counter($$r, $$lvl, $$x) + exhale acc(Counter_sk_fp(), write) + inhale acc(Counter_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Counter($r, $lvl, $x)] :: none < + old[pre_stabilize39](perm(Counter($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Counter_atomicity_context_fp($r, $lvl, $x)) ==> + (Counter_state($r, $lvl, $x) in + Counter_atomicity_context_hf($r, $lvl, $x))) && + (Counter_state($r, $lvl, $x) == + old[pre_stabilize39](Counter_state($r, $lvl, $x)) || + Counter_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize39](Counter_state($r, $lvl, $x)) && + Counter_sk_$_action_m($r, $lvl, $x) == Counter_state($r, $lvl, $x) && + true && + perm(Counter_INCR($r)) <= write - 1 / 2)) + + // Stabilising all instances of region Join + quasihavocall $$s: Ref, $$alvl: Int, $$y: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$s, + $$alvl, $$y, $$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $s: Ref, $alvl: Int, $y: Ref, $r: Ref, $lvl: Int, $x: Ref [Join($s, $alvl, + $y, $r, $lvl, $x)] :: none < + old[pre_stabilize39](perm(Join($s, $alvl, $y, $r, $lvl, $x))) ==> + (none < perm($s.$diamond) && + none < perm(Join_atomicity_context_fp($s, $alvl, $y, $r, $lvl, $x)) ==> + (Join_state($s, $alvl, $y, $r, $lvl, $x) in + Join_atomicity_context_hf($s, $alvl, $y, $r, $lvl, $x))) && + (Join_state($s, $alvl, $y, $r, $lvl, $x) == + old[pre_stabilize39](Join_state($s, $alvl, $y, $r, $lvl, $x)) || + 0 == old[pre_stabilize39](Join_state($s, $alvl, $y, $r, $lvl, $x)) && + 1 == Join_state($s, $alvl, $y, $r, $lvl, $x) && + true && + perm(Join_SET($s)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize39](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize39](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Counter,Join,LevelDummy (check stability of method condition) END + + assert acc(Counter(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_JOIN(s), write) && + (acc(Join(s, alvl, y, r, lvl, x), write) && (alvl >= 0 && true)) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoin.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoin.vl.vpr new file mode 100644 index 00000000..8c483910 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoin.vl.vpr @@ -0,0 +1,831 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Join_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function Join_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Join_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function Join_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function Join_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_atomicity_context_fp(r, lvl, x), write) + ensures [Join_atomicity_context_df(r, lvl, x), true] + + +function Join_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in Join_interferenceSet_df($p0, r, lvl, x))), + true] + + +function Join_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [Join_interferenceReference_df($p0, r, lvl, x), true] + + +function Join_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(Join(r, lvl, x), write) + ensures [Join_state_T(r, lvl, x), true] +{ + (unfolding acc(Join(r, lvl, x), write) in x.$memcell_$f) +} + +predicate Join_SET($r: Ref) + +predicate Join_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_sk_fp() + +predicate Join(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_Join() + + +method ___silicon_hack407_havoc_all_Join_interferenceContext_fp() + + +method makeJoin(lvl: Int) returns (ret: Ref, r: Ref) + requires lvl >= 0 + ensures acc(Join(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) +{ + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(ret.$memcell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + ret.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Join (after heap-write@19.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize0](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](Join_state($r, $lvl, $x))) + + // ------- Stabilising regions Join (after heap-write@19.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(Join_SET(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Join(r, lvl, ret), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method set_to_one(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_SET(r), write) +{ + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for use-atomic) BEGIN + + label pre_stabilize + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(2, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(2, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize](Join_state(r, lvl, x)) && 1 == $$_m && true && + true))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in Join_interferenceSet_hf(2, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(2, r, lvl, x) == + old[pre_stabilize](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Join_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_1 > lvl + $_levelVar_2 := lvl + exhale acc(Join_SET(r), write) + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Join_SET(r), write) + exhale acc(Join(r, lvl, x), perm(Join(r, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 1 + + // ------- heap-write END ---------- + + fold acc(Join(r, lvl, x), write) + assert old[pre_use_atomic0](Join_state(r, lvl, x)) == + Join_state(r, lvl, x) || + 0 == old[pre_use_atomic0](Join_state(r, lvl, x)) && + 1 == Join_state(r, lvl, x) + $_levelVar_3 := $_levelVar_1 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Join (after use-atomic@31.3) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize2](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize2](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize2](Join_state($r, $lvl, $x))) + + // ------- Stabilising regions Join (after use-atomic@31.3) END + +} + +method wait(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) +{ + var v: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + inhale $_levelVar_4 >= 0 && $_levelVar_4 > lvl + assert $_levelVar_4 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize3 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(4, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(4, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize3](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize3](Join_state(r, lvl, x)) && 1 == $$_m && true && + true))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in Join_interferenceSet_hf(4, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(4, r, lvl, x) == + old[pre_stabilize3](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_4 > lvl + $_levelVar_5 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region0](Join_state(r, lvl, x)) + $_levelVar_6 := $_levelVar_4 + + // ------- open-region END --------- + + + // ------- Stabilising regions Join (after open-region@47.5) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize4](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize4](Join_state($r, $lvl, $x))) + + // ------- Stabilising regions Join (after open-region@47.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (v == 0) + invariant acc(Join(r, lvl, x), write) && (lvl >= 0 && true) + invariant (v == 0 ? + Join_state(r, lvl, x) >= 0 : + Join_state(r, lvl, x) == 1) + { + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))) ==> + Join_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](Join_atomicity_context_hf($r, $lvl, $x))) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize5 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(6, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(6, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize5](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize5](Join_state(r, lvl, x)) && 1 == $$_m && + true && + true))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in Join_interferenceSet_hf(6, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(6, r, lvl, x) == + old[pre_stabilize5](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_6 > lvl + $_levelVar_7 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region](Join_state(r, lvl, x)) + $_levelVar_8 := $_levelVar_6 + + // ------- open-region END --------- + + + // ------- Stabilising regions Join (after open-region@47.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize6](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + true)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize6](Join_state($r, $lvl, $x))) + + // ------- Stabilising regions Join (after open-region@47.5) END + + assert $_levelVar_8 == $_levelVar_6 + } + $_levelVar_9 := $_levelVar_6 + + // ------- while END --------------- + +} + +method $_Join_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) + + // ------- Stabilising regions Join (check stability of region interpretation) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize7](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize7](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +method $_Join_action_transitivity_check() +{ + var SET: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && SET + inhale bState == cState || 0 == bState && 1 == cState && true && SET + assert aState == cState || 0 == aState && 1 == cState && true && SET +} + +method $_makeJoin_condition_stability_precondition_check(lvl: Int, ret: Ref, + r: Ref) + requires lvl >= 0 +{ + var $_levelVar_10: Int + inhale $_levelVar_10 >= 0 + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Join (check stability of method condition) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize8](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize8](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of method condition) END + + assert lvl >= 0 +} + +method $_set_to_one_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) +{ + var $_levelVar_11: Int + inhale $_levelVar_11 >= 0 && $_levelVar_11 > lvl + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Join (check stability of method condition) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize9](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize9](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && (lvl >= 0 && true) && + acc(Join_SET(r), write) +} + +method $_wait_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_12: Int + var v: Int + inhale $_levelVar_12 >= 0 && $_levelVar_12 > lvl + inhale acc(Join_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Join (check stability of method condition) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize10](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize10](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + true)) + + // ------- Stabilising regions Join (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && (lvl >= 0 && true) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoinClient.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoinClient.vl.vpr new file mode 100644 index 00000000..9afdfde1 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/ForkJoinClient.vl.vpr @@ -0,0 +1,2771 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Flag_state_T(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref): Bool + + function Join_state_T(r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_state_T(r: Ref, lvl: Int): Bool +} + +domain interferenceReference_Domain { + + function Flag_interferenceReference_df($p0: Int, r: Ref, alvl: Int, s: Ref, + lvl: Int, x: Ref, y: Ref): Bool + + function Join_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_interferenceReference_df($p0: Int, r: Ref, lvl: Int): Bool +} + +domain interferenceSet_Domain { + + function Flag_interferenceSet_df($p0: Int, r: Ref, alvl: Int, s: Ref, lvl: Int, + x: Ref, y: Ref): Set[Int] + + function Join_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + + function LevelDummy_interferenceSet_df($p0: Int, r: Ref, lvl: Int): Set[Int] +} + +domain atomicity_context_Domain { + + function Flag_atomicity_context_df(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref): Bool + + function Join_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool + + function LevelDummy_atomicity_context_df(r: Ref, lvl: Int): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function Flag_atomicity_context_hf(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref): Set[Int] + requires acc(Flag_atomicity_context_fp(r, alvl, s, lvl, x, y), write) + ensures [Flag_atomicity_context_df(r, alvl, s, lvl, x, y), true] + + +function Flag_interferenceSet_hf($p0: Int, r: Ref, alvl: Int, s: Ref, lvl: Int, + x: Ref, y: Ref): Set[Int] + requires acc(Flag_interferenceContext_fp(r, alvl, s, lvl, x, y), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Flag_interferenceSet_df($p0, r, alvl, s, lvl, x, y))), + true] + + +function Flag_interferenceReference_hf($p0: Int, r: Ref, alvl: Int, s: Ref, + lvl: Int, x: Ref, y: Ref): Int + requires acc(Flag_interferenceContext_fp(r, alvl, s, lvl, x, y), write) + ensures [Flag_interferenceReference_df($p0, r, alvl, s, lvl, x, y), true] + + +function Flag_state(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref): Int + requires acc(Flag(r, alvl, s, lvl, x, y), write) + ensures [Flag_state_T(r, alvl, s, lvl, x, y), true] +{ + (unfolding acc(Flag(r, alvl, s, lvl, x, y), write) in x.$memcell_$f) +} + +function Join_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_atomicity_context_fp(r, lvl, x), write) + ensures [Join_atomicity_context_df(r, lvl, x), true] + + +function Join_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in Join_interferenceSet_df($p0, r, lvl, x))), + true] + + +function Join_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(Join_interferenceContext_fp(r, lvl, x), write) + ensures [Join_interferenceReference_df($p0, r, lvl, x), true] + + +function Join_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(Join(r, lvl, x), write) + ensures [Join_state_T(r, lvl, x), true] +{ + (unfolding acc(Join(r, lvl, x), write) in x.$memcell_$f) +} + +function LevelDummy_atomicity_context_hf(r: Ref, lvl: Int): Set[Int] + requires acc(LevelDummy_atomicity_context_fp(r, lvl), write) + ensures [LevelDummy_atomicity_context_df(r, lvl), true] + + +function LevelDummy_interferenceSet_hf($p0: Int, r: Ref, lvl: Int): Set[Int] + requires acc(LevelDummy_interferenceContext_fp(r, lvl), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in LevelDummy_interferenceSet_df($p0, r, lvl))), + true] + + +function LevelDummy_interferenceReference_hf($p0: Int, r: Ref, lvl: Int): Int + requires acc(LevelDummy_interferenceContext_fp(r, lvl), write) + ensures [LevelDummy_interferenceReference_df($p0, r, lvl), true] + + +function LevelDummy_state(r: Ref, lvl: Int): Int + requires acc(LevelDummy(r, lvl), write) + ensures [LevelDummy_state_T(r, lvl), true] +{ + (unfolding acc(LevelDummy(r, lvl), write) in 0) +} + +predicate Flag_SFLAG($r: Ref) + +predicate Flag_atomicity_context_fp(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref) + +predicate Flag_interferenceContext_fp(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, + y: Ref) + +predicate Flag_sk_fp() + +predicate Flag(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) && + (x.$memcell_$f == 0 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && Join_state(s, lvl, y) == 0) && + lvl < alvl && + acc(Join_SET(s), write) : + true) && + (x.$memcell_$f == 1 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && true) && lvl < alvl : + true) +} + +predicate Join_SET($r: Ref) + +predicate Join_Z($r: Ref) + +predicate Join_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate Join_sk_fp() + +predicate Join(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +predicate LevelDummy_LevelDummyG($r: Ref) + +predicate LevelDummy_atomicity_context_fp(r: Ref, lvl: Int) + +predicate LevelDummy_interferenceContext_fp(r: Ref, lvl: Int) + +predicate LevelDummy_sk_fp() + +predicate LevelDummy(r: Ref, lvl: Int) { + true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_Flag() + + +method ___silicon_hack407_havoc_all_Flag_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_Join() + + +method ___silicon_hack407_havoc_all_Join_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_LevelDummy() + + +method ___silicon_hack407_havoc_all_LevelDummy_interferenceContext_fp() + + +method thread2(r: Ref, alvl: Int, s: Ref, lvl: Int, x: Ref, y: Ref) + requires acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) +{ + var $_levelVar_0: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + inhale $_levelVar_0 >= 0 && $_levelVar_0 > alvl + assert $_levelVar_0 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + assert acc(Flag(r, alvl, s, lvl, x, y), write) + + // ------- Stabilising regions Flag (infer context for use-atomic) BEGIN + + label pre_stabilize0 + + // Stabilising single instance of region Flag + quasihavoc Flag_interferenceContext_fp(r, alvl, s, lvl, x, y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(1, r, alvl, s, lvl, x, y)) } + ($$_m in Flag_interferenceSet_hf(1, r, alvl, s, lvl, x, y)) == + ((none < perm(r.$diamond) && + none < perm(Flag_atomicity_context_fp(r, alvl, s, lvl, x, y)) ==> + ($$_m in Flag_atomicity_context_hf(r, alvl, s, lvl, x, y))) && + ($$_m == old[pre_stabilize0](Flag_state(r, alvl, s, lvl, x, y)) || + 0 == old[pre_stabilize0](Flag_state(r, alvl, s, lvl, x, y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG(r)) == none))) + quasihavoc Flag(r, alvl, s, lvl, x, y) + inhale (Flag_state(r, alvl, s, lvl, x, y) in + Flag_interferenceSet_hf(1, r, alvl, s, lvl, x, y)) + + // havoc performed by other front resource + + inhale Flag_interferenceReference_hf(1, r, alvl, s, lvl, x, y) == + old[pre_stabilize0](Flag_state(r, alvl, s, lvl, x, y)) + + // ------- Stabilising regions Flag (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Flag_atomicity_context_fp(r, alvl, s, lvl, x, y)) == none + assert $_levelVar_0 > alvl + $_levelVar_1 := alvl + exhale acc(Flag_SFLAG(r), write) + unfold acc(Flag(r, alvl, s, lvl, x, y), write) + label transitionPre0 + quasihavoc Join_interferenceContext_fp(s, lvl, y) + + // no additional linking required + + + // havoc performed by other front resource + + inhale x.$memcell_$f == 0 ==> + Join_interferenceReference_hf(1, s, lvl, y) == + old[transitionPre0](Join_state(s, lvl, y)) + + // havoc performed by other front resource + + inhale x.$memcell_$f == 1 ==> + Join_interferenceReference_hf(1, s, lvl, y) == + old[transitionPre0](Join_state(s, lvl, y)) + inhale acc(Flag_SFLAG(r), write) + exhale acc(Flag(r, alvl, s, lvl, x, y), perm(Flag(r, alvl, s, lvl, x, y))) + + // ------- assert BEGIN ------------ + + assert acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 1 + + // ------- heap-write END ---------- + + fold acc(Flag(r, alvl, s, lvl, x, y), write) + assert old[pre_use_atomic0](Flag_state(r, alvl, s, lvl, x, y)) == + Flag_state(r, alvl, s, lvl, x, y) || + 0 == old[pre_use_atomic0](Flag_state(r, alvl, s, lvl, x, y)) && + 1 == Flag_state(r, alvl, s, lvl, x, y) + $_levelVar_2 := $_levelVar_0 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after use-atomic@18.3) BEGIN + + label pre_stabilize + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(2, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(2, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(2, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(2, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(2, $r, $lvl)) } + none < old[pre_stabilize](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(2, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(2, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(2, $r, $lvl) == + old[pre_stabilize](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after use-atomic@18.3) END + + + // ------- call:set_to_one BEGIN --- + + assert true + label pre_call0 + assert $_levelVar_2 >= 0 && $_levelVar_2 > lvl + assert true + exhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + acc(Join_SET(s), write) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:set_to_one@25.3) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize2](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize2](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize2](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize2](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize2](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize2](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize2](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:set_to_one@25.3) END + + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 1) && + acc(Join_SET(s), write) + + // ------- call:set_to_one END ----- + +} + +method main(dummy: Ref, lvl: Int, alvl: Int) + returns (x: Ref, y: Ref, r: Ref, s: Ref, ret: Int) + requires alvl > lvl && lvl >= 0 && + (acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true)) + ensures acc(Flag(r, alvl, s, lvl, x, y), write) && (alvl >= 0 && true) && + ret == 1 +{ + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + inhale $_levelVar_3 >= 0 && $_levelVar_3 > alvl + assert $_levelVar_3 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(x.$memcell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@35.3) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(3, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize3](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(3, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize3](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize3](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize3](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(3, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize3](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(3, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize3](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize3](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize3](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(3, $r, $lvl)) } + none < old[pre_stabilize3](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(3, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize3](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize3](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(3, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize3](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(3, $r, $lvl) == + old[pre_stabilize3](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@35.3) END + + + // ------- call:makeJoin BEGIN ----- + + assert true + label pre_call + assert $_levelVar_3 >= 0 + assert true + exhale lvl >= 0 + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:makeJoin@37.3) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize4](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize4](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize4](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize4](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize4](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize4](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize4](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:makeJoin@37.3) END + + y := havoc_Ref() + s := havoc_Ref() + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + acc(Join_SET(s), write) + + // ------- call:makeJoin END ------- + + + // ------- assert BEGIN ------------ + + assert acc(Join(s, lvl, y), write) && (lvl >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Join(s, lvl, y), write) && (lvl >= 0 && true) + + // ------- inhale END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Flag_SFLAG(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Flag(r, alvl, s, lvl, x, y), write) + assert alvl >= 0 && true + + // ------- fold END ---------------- + + + // ------- assert BEGIN ------------ + + assert acc(Flag(r, alvl, s, lvl, x, y), write) && (alvl >= 0 && true) + + // ------- assert END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(Flag(r, alvl, s, lvl, x, y), write) && (alvl >= 0 && true) + + // ------- inhale END -------------- + + + // ------- exhale BEGIN ------------ + + exhale acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) + + // ------- exhale END -------------- + + + // skip; + + + // ------- Stabilising regions Flag,Join,LevelDummy (after skip@53.3) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(4, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize5](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(4, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize5](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize5](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize5](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(4, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize5](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(4, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize5](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize5](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize5](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(4, $r, $lvl)) } + none < old[pre_stabilize5](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(4, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize5](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize5](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(4, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize5](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(4, $r, $lvl) == + old[pre_stabilize5](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after skip@53.3) END + + + // ------- call:wait BEGIN --------- + + assert true + label pre_call2 + assert $_levelVar_3 >= 0 && $_levelVar_3 > lvl + assert true + exhale acc(Join(s, lvl, y), write) && (lvl >= 0 && true) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:wait@55.3) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize6](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize6](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize6](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize6](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize6](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize6](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize6](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (within call:wait@55.3) END + + inhale acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 1) + + // ------- call:wait END ----------- + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_3 > alvl + $_levelVar_4 := alvl + unfold acc(Flag(r, alvl, s, lvl, x, y), write) + label transitionPre + quasihavoc Join_interferenceContext_fp(s, lvl, y) + + // no additional linking required + + + // havoc performed by other front resource + + inhale x.$memcell_$f == 0 ==> + Join_interferenceReference_hf(4, s, lvl, y) == + old[transitionPre](Join_state(s, lvl, y)) + + // havoc performed by other front resource + + inhale x.$memcell_$f == 1 ==> + Join_interferenceReference_hf(4, s, lvl, y) == + old[transitionPre](Join_state(s, lvl, y)) + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Flag(r, alvl, s, lvl, x, y), write) + assert Flag_state(r, alvl, s, lvl, x, y) == + old[pre_open_region0](Flag_state(r, alvl, s, lvl, x, y)) + $_levelVar_5 := $_levelVar_3 + + // ------- open-region END --------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@57.3) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(5, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize7](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(5, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize7](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize7](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize7](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(5, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize7](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(5, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize7](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize7](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize7](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(5, $r, $lvl)) } + none < old[pre_stabilize7](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(5, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize7](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize7](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(5, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize7](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(5, $r, $lvl) == + old[pre_stabilize7](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@57.3) END + +} + +method makeJoin(lvl: Int) returns (ret: Ref, r: Ref) + requires lvl >= 0 + ensures acc(Join(r, lvl, ret), write) && + (lvl >= 0 && Join_state(r, lvl, ret) == 0) && + acc(Join_SET(r), write) +{ + var $_levelVar_6: Int + inhale $_levelVar_6 >= 0 + assert $_levelVar_6 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(ret.$memcell_$f, write) && true + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + ret.$memcell_$f := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@85.3) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(6, $r, $alvl, $s, $lvl, $x, $y)) } + none < old[pre_stabilize8](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(6, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize8](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize8](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize8](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(6, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize8](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(6, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize8](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize8](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize8](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(6, $r, $lvl)) } + none < old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(6, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize8](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(6, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize8](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(6, $r, $lvl) == + old[pre_stabilize8](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after heap-write@85.3) END + + + // ------- inhale BEGIN ------------ + + inhale acc(Join_SET(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(Join(r, lvl, ret), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method set_to_one(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 0) && + acc(Join_SET(r), write) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) && + acc(Join_SET(r), write) +{ + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + inhale $_levelVar_7 >= 0 && $_levelVar_7 > lvl + assert $_levelVar_7 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for use-atomic) BEGIN + + label pre_stabilize9 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(7, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(7, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize9](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize9](Join_state(r, lvl, x)) && 1 == $$_m && true && + perm(Join_SET(r)) == none))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in Join_interferenceSet_hf(7, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(7, r, lvl, x) == + old[pre_stabilize9](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(Join_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + exhale acc(Join_SET(r), write) + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(Join_SET(r), write) + exhale acc(Join(r, lvl, x), perm(Join(r, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 1 + + // ------- heap-write END ---------- + + fold acc(Join(r, lvl, x), write) + assert old[pre_use_atomic](Join_state(r, lvl, x)) == + Join_state(r, lvl, x) || + 0 == old[pre_use_atomic](Join_state(r, lvl, x)) && + 1 == Join_state(r, lvl, x) + $_levelVar_9 := $_levelVar_7 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after use-atomic@97.3) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in Flag_interferenceSet_df(8, $r, $alvl, $s, $lvl, $x, $y)) } + none < + old[pre_stabilize10](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(8, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize10](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize10](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize10](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(8, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize10](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(8, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize10](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(8, $r, $lvl, $x)) } + none < old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(8, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize10](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize10](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(8, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(8, $r, $lvl, $x) == + old[pre_stabilize10](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(8, $r, $lvl)) } + none < old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(8, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize10](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(8, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize10](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(8, $r, $lvl) == + old[pre_stabilize10](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after use-atomic@97.3) END + +} + +method wait(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) + ensures acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 1) +{ + var v: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + inhale $_levelVar_10 >= 0 && $_levelVar_10 > lvl + assert $_levelVar_10 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize11 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(9, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(9, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize11](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize11](Join_state(r, lvl, x)) && 1 == $$_m && true && + perm(Join_SET(r)) == none))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in Join_interferenceSet_hf(9, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(9, r, lvl, x) == + old[pre_stabilize11](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_10 > lvl + $_levelVar_11 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region](Join_state(r, lvl, x)) + $_levelVar_12 := $_levelVar_10 + + // ------- open-region END --------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@113.5) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in + Flag_interferenceSet_df(10, $r, $alvl, $s, $lvl, $x, $y)) } + none < + old[pre_stabilize12](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in Flag_interferenceSet_hf(10, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize12](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize12](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize12](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(10, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize12](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(10, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize12](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(10, $r, $lvl, $x)) } + none < old[pre_stabilize12](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(10, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize12](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize12](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(10, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(10, $r, $lvl, $x) == + old[pre_stabilize12](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(10, $r, $lvl)) } + none < old[pre_stabilize12](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(10, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize12](LevelDummy_state($r, $lvl)) || false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize12](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(10, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize12](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(10, $r, $lvl) == + old[pre_stabilize12](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@113.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (v == 0) + invariant acc(Join(r, lvl, x), write) && (lvl >= 0 && true) + invariant (v == 0 ? + Join_state(r, lvl, x) >= 0 : + Join_state(r, lvl, x) == 1) + { + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_atomicity_context_fp($r, + $alvl, $s, $lvl, $x, $y), old[preWhile0](perm(Flag_atomicity_context_fp($r, + $alvl, $s, $lvl, $x, $y))))) + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref :: + { Flag_atomicity_context_df($r, $alvl, $s, $lvl, $x, $y) } + none < + old[preWhile0](perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, + $y))) ==> + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y) == + old[preWhile0](Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { Join_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(Join_atomicity_context_fp($r, $lvl, $x))) ==> + Join_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](Join_atomicity_context_hf($r, $lvl, $x))) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_atomicity_context_fp($r, + $lvl), old[preWhile0](perm(LevelDummy_atomicity_context_fp($r, $lvl))))) + inhale (forall $r: Ref, $lvl: Int :: + { LevelDummy_atomicity_context_df($r, $lvl) } + none < + old[preWhile0](perm(LevelDummy_atomicity_context_fp($r, $lvl))) ==> + LevelDummy_atomicity_context_hf($r, $lvl) == + old[preWhile0](LevelDummy_atomicity_context_hf($r, $lvl))) + assert acc(Join(r, lvl, x), write) + + // ------- Stabilising regions Join (infer context for open-region) BEGIN + + label pre_stabilize13 + + // Stabilising single instance of region Join + quasihavoc Join_interferenceContext_fp(r, lvl, x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(11, r, lvl, x)) } + ($$_m in Join_interferenceSet_hf(11, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(Join_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in Join_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize13](Join_state(r, lvl, x)) || + 0 == old[pre_stabilize13](Join_state(r, lvl, x)) && 1 == $$_m && + true && + perm(Join_SET(r)) == none))) + quasihavoc Join(r, lvl, x) + inhale (Join_state(r, lvl, x) in + Join_interferenceSet_hf(11, r, lvl, x)) + + // havoc performed by other front resource + + inhale Join_interferenceReference_hf(11, r, lvl, x) == + old[pre_stabilize13](Join_state(r, lvl, x)) + + // ------- Stabilising regions Join (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_12 > lvl + $_levelVar_13 := lvl + unfold acc(Join(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$f + + // ------- heap-read END ----------- + + fold acc(Join(r, lvl, x), write) + assert Join_state(r, lvl, x) == + old[pre_open_region2](Join_state(r, lvl, x)) + $_levelVar_14 := $_levelVar_12 + + // ------- open-region END --------- + + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@113.5) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag_interferenceContext_fp($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: (forall $$_m: Int :: + { ($$_m in + Flag_interferenceSet_df(12, $r, $alvl, $s, $lvl, $x, $y)) } + none < + old[pre_stabilize14](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + ($$_m in + Flag_interferenceSet_hf(12, $r, $alvl, $s, $lvl, $x, $y)) == + ((none < perm($r.$diamond) && + none < + perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + ($$_m in Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + ($$_m == + old[pre_stabilize14](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == + old[pre_stabilize14](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == $$_m && + true && + perm(Flag_SFLAG($r)) == none)))) + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: none < + old[pre_stabilize14](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_interferenceSet_hf(12, $r, $alvl, $s, $lvl, $x, $y))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, + $alvl, $s, $lvl, $x, $y)] :: none < + old[pre_stabilize14](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + Flag_interferenceReference_hf(12, $r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize14](Flag_state($r, $alvl, $s, $lvl, $x, $y))) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Join_interferenceSet_df(12, $r, $lvl, $x)) } + none < old[pre_stabilize14](perm(Join($r, $lvl, $x))) ==> + ($$_m in Join_interferenceSet_hf(12, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in Join_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize14](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize14](Join_state($r, $lvl, $x)) && 1 == $$_m && + true && + perm(Join_SET($r)) == none)))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Join($r, $lvl, $x))) ==> + (Join_state($r, $lvl, $x) in + Join_interferenceSet_hf(12, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(Join($r, $lvl, $x))) ==> + Join_interferenceReference_hf(12, $r, $lvl, $x) == + old[pre_stabilize14](Join_state($r, $lvl, $x))) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy_interferenceContext_fp($$r, + $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: (forall $$_m: Int :: + { ($$_m in LevelDummy_interferenceSet_df(12, $r, $lvl)) } + none < old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + ($$_m in LevelDummy_interferenceSet_hf(12, $r, $lvl)) == + ((none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + ($$_m in LevelDummy_atomicity_context_hf($r, $lvl))) && + ($$_m == old[pre_stabilize14](LevelDummy_state($r, $lvl)) || + false)))) + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_interferenceSet_hf(12, $r, $lvl))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize14](perm(LevelDummy($r, $lvl))) ==> + LevelDummy_interferenceReference_hf(12, $r, $lvl) == + old[pre_stabilize14](LevelDummy_state($r, $lvl))) + + // ------- Stabilising regions Flag,Join,LevelDummy (after open-region@113.5) END + + assert $_levelVar_14 == $_levelVar_12 + } + $_levelVar_15 := $_levelVar_12 + + // ------- while END --------------- + +} + +method $_Flag_interpretation_stability_check(r: Ref, alvl: Int, s: Ref, lvl: Int, + x: Ref, y: Ref) +{ + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) && + (x.$memcell_$f == 0 ? + acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + lvl < alvl && + acc(Join_SET(s), write) : + true) && + (x.$memcell_$f == 1 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && true) && lvl < alvl : + true) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize15](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize15](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize15](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize15](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize15](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize15](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize15](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) && + (x.$memcell_$f == 0 ? + acc(Join(s, lvl, y), write) && + (lvl >= 0 && Join_state(s, lvl, y) == 0) && + lvl < alvl && + acc(Join_SET(s), write) : + true) && + (x.$memcell_$f == 1 ? + acc(Join(s, lvl, y), write) && (lvl >= 0 && true) && lvl < alvl : + true) +} + +method $_Flag_action_transitivity_check() +{ + var SFLAG: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && SFLAG + inhale bState == cState || 0 == bState && 1 == cState && true && SFLAG + assert aState == cState || 0 == aState && 1 == cState && true && SFLAG +} + +method $_Join_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize16](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize16](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize16](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize16](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize16](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize16](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize16](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 || x.$memcell_$f == 1) +} + +method $_Join_action_transitivity_check() +{ + var SET: Bool + var Z: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && SET + inhale bState == cState || 0 == bState && 1 == cState && true && SET + assert aState == cState || 0 == aState && 1 == cState && true && SET +} + +method $_LevelDummy_interpretation_stability_check(r: Ref, lvl: Int) +{ + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + inhale true + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize17](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize17](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize17](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize17](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize17](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize17](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize17](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of region interpretation) END + + assert true +} + +method $_LevelDummy_action_transitivity_check() +{ + var LevelDummyG: Bool + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState + inhale bState == cState + assert aState == cState +} + +method $_thread2_condition_stability_precondition_check(r: Ref, alvl: Int, s: Ref, + lvl: Int, x: Ref, y: Ref) + requires acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) +{ + var $_levelVar_16: Int + inhale $_levelVar_16 >= 0 && $_levelVar_16 > alvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize18 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize18](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize18](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize18](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize18](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize18](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize18](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize18](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize18](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert acc(Flag(r, alvl, s, lvl, x, y), write) && + (alvl >= 0 && Flag_state(r, alvl, s, lvl, x, y) == 0) && + acc(Flag_SFLAG(r), write) +} + +method $_main_condition_stability_precondition_check(dummy: Ref, lvl: Int, alvl: Int, + x: Ref, y: Ref, r: Ref, s: Ref, ret: Int) + requires alvl > lvl && lvl >= 0 && + (acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true)) +{ + var $_levelVar_17: Int + inhale $_levelVar_17 >= 0 && $_levelVar_17 > alvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize19](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize19](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize19](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize19](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize19](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize19](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize19](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert alvl > lvl && lvl >= 0 && + (acc(LevelDummy(dummy, alvl), write) && (alvl >= 0 && true)) +} + +method $_makeJoin_condition_stability_precondition_check(lvl: Int, ret: Ref, + r: Ref) + requires lvl >= 0 +{ + var $_levelVar_18: Int + inhale $_levelVar_18 >= 0 + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize20 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize20](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize20](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize20](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize20](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize20](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize20](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize20](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize20](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert lvl >= 0 +} + +method $_set_to_one_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref) + requires acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 0) && + acc(Join_SET(r), write) +{ + var $_levelVar_19: Int + inhale $_levelVar_19 >= 0 && $_levelVar_19 > lvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize21 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize21](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize21](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize21](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize21](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize21](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize21](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize21](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize21](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && + (lvl >= 0 && Join_state(r, lvl, x) == 0) && + acc(Join_SET(r), write) +} + +method $_wait_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(Join(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_20: Int + var v: Int + inhale $_levelVar_20 >= 0 && $_levelVar_20 > lvl + inhale acc(Flag_sk_fp(), write) && acc(Join_sk_fp(), write) && + acc(LevelDummy_sk_fp(), write) + + // no init required + + + // no init required + + + // no init required + + inhale (forall $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref ::acc(Flag_interferenceContext_fp($r, + $alvl, $s, $lvl, $x, $y), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(Join_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int ::acc(LevelDummy_interferenceContext_fp($r, + $lvl), write)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) BEGIN + + label pre_stabilize22 + + // Stabilising all instances of region Flag + quasihavocall $$r: Ref, $$alvl: Int, $$s: Ref, $$lvl: Int, $$x: Ref, $$y: Ref :: Flag($$r, + $$alvl, $$s, $$lvl, $$x, $$y) + exhale acc(Flag_sk_fp(), write) + inhale acc(Flag_sk_fp(), write) + inhale (forperm + $r: Ref, $alvl: Int, $s: Ref, $lvl: Int, $x: Ref, $y: Ref [Flag($r, $alvl, + $s, $lvl, $x, $y)] :: none < + old[pre_stabilize22](perm(Flag($r, $alvl, $s, $lvl, $x, $y))) ==> + (none < perm($r.$diamond) && + none < perm(Flag_atomicity_context_fp($r, $alvl, $s, $lvl, $x, $y)) ==> + (Flag_state($r, $alvl, $s, $lvl, $x, $y) in + Flag_atomicity_context_hf($r, $alvl, $s, $lvl, $x, $y))) && + (Flag_state($r, $alvl, $s, $lvl, $x, $y) == + old[pre_stabilize22](Flag_state($r, $alvl, $s, $lvl, $x, $y)) || + 0 == old[pre_stabilize22](Flag_state($r, $alvl, $s, $lvl, $x, $y)) && + 1 == Flag_state($r, $alvl, $s, $lvl, $x, $y) && + true && + perm(Flag_SFLAG($r)) == none)) + + // Stabilising all instances of region Join + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: Join($$r, $$lvl, $$x) + exhale acc(Join_sk_fp(), write) + inhale acc(Join_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [Join($r, $lvl, $x)] :: none < + old[pre_stabilize22](perm(Join($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(Join_atomicity_context_fp($r, $lvl, $x)) ==> + (Join_state($r, $lvl, $x) in Join_atomicity_context_hf($r, $lvl, $x))) && + (Join_state($r, $lvl, $x) == + old[pre_stabilize22](Join_state($r, $lvl, $x)) || + 0 == old[pre_stabilize22](Join_state($r, $lvl, $x)) && + 1 == Join_state($r, $lvl, $x) && + true && + perm(Join_SET($r)) == none)) + + // Stabilising all instances of region LevelDummy + quasihavocall $$r: Ref, $$lvl: Int :: LevelDummy($$r, $$lvl) + exhale acc(LevelDummy_sk_fp(), write) + inhale acc(LevelDummy_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int [LevelDummy($r, $lvl)] :: none < + old[pre_stabilize22](perm(LevelDummy($r, $lvl))) ==> + (none < perm($r.$diamond) && + none < perm(LevelDummy_atomicity_context_fp($r, $lvl)) ==> + (LevelDummy_state($r, $lvl) in + LevelDummy_atomicity_context_hf($r, $lvl))) && + (LevelDummy_state($r, $lvl) == + old[pre_stabilize22](LevelDummy_state($r, $lvl)) || + false)) + + // ------- Stabilising regions Flag,Join,LevelDummy (check stability of method condition) END + + assert acc(Join(r, lvl, x), write) && (lvl >= 0 && true) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/IncDec.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/IncDec.vl.vpr new file mode 100644 index 00000000..76d18889 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/IncDec.vl.vpr @@ -0,0 +1,1797 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function IncDec_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function IncDec_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function IncDec_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function IncDec_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$val: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function IncDec_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(IncDec_atomicity_context_fp(r, lvl, x), write) + ensures [IncDec_atomicity_context_df(r, lvl, x), true] + + +function IncDec_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(IncDec_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in IncDec_interferenceSet_df($p0, r, lvl, x))), + true] + + +function IncDec_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec_interferenceContext_fp(r, lvl, x), write) + ensures [IncDec_interferenceReference_df($p0, r, lvl, x), true] + + +function IncDec_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec_sk_fp(), write) + + +function IncDec_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec_sk_fp(), write) + + +function IncDec_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(IncDec(r, lvl, x), write) + ensures [IncDec_state_T(r, lvl, x), true] +{ + (unfolding acc(IncDec(r, lvl, x), write) in x.$memcell_$val) +} + +predicate IncDec_INC($r: Ref) + +predicate IncDec_DEC($r: Ref) + +predicate IncDec_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate IncDec_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate IncDec_sk_fp() + +predicate IncDec(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$val, write) && true +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_IncDec() + + +method ___silicon_hack407_havoc_all_IncDec_interferenceContext_fp() + + +method makeCounter(lvl: Int, r: Ref) returns (ret: Ref) + requires lvl >= 0 + ensures acc(IncDec(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(IncDec_INC(r), write) && + acc(IncDec_DEC(r), write) +{ + var v: Ref + var w: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(v.$memcell_$val, write) && true + w := v.$memcell_$val + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + v.$memcell_$val := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions IncDec (after heap-write@30.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after heap-write@30.3) END + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(IncDec_INC(r), write) && acc(IncDec_DEC(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(IncDec(r, lvl, ret), write) + assert lvl >= 0 && IncDec_state(r, lvl, ret) == 0 + + // ------- fold END ---------------- + +} + +method increment(r: Ref, lvl: Int, x: Ref, k: Int) returns (ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_INC(r), write) && + k > 0 + ensures acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_INC(r), write) && + IncDec_state(r, lvl, x) <= old(IncDec_state(r, lvl, x)) + k +{ + var b: Bool + var v: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(2, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(2, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + perm(IncDec_INC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + perm(IncDec_DEC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (perm(IncDec_INC(r)) == none && perm(IncDec_DEC(r)) == none))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(2, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(2, r, lvl, x) == + old[pre_stabilize](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > lvl + $_levelVar_2 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region0](IncDec_state(r, lvl, x)) + $_levelVar_3 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@50.5) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize2](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize2](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize2](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize2](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize2](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@50.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(IncDec_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_3 > lvl + $_levelVar_4 := lvl + exhale acc(IncDec_INC(r), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(IncDec_INC(r), write) + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_4 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v + k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call0](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + assert old[pre_use_atomic0](IncDec_state(r, lvl, x)) == + IncDec_state(r, lvl, x) || + old[pre_use_atomic0](IncDec_state(r, lvl, x)) < IncDec_state(r, lvl, x) + $_levelVar_5 := $_levelVar_3 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions IncDec (after use-atomic@54.5) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize3](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after use-atomic@54.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (!b) + invariant acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_INC(r), write) && + k > 0 + invariant (!b ? + IncDec_state(r, lvl, x) <= old(IncDec_state(r, lvl, x)) : + IncDec_state(r, lvl, x) <= old(IncDec_state(r, lvl, x)) + k) + { + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(IncDec_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { IncDec_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(IncDec_atomicity_context_fp($r, $lvl, $x))) ==> + IncDec_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](IncDec_atomicity_context_hf($r, $lvl, $x))) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize4 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(5, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(5, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize4](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize4](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + perm(IncDec_INC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize4](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + perm(IncDec_DEC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize4](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (perm(IncDec_INC(r)) == none && perm(IncDec_DEC(r)) == none))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(5, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(5, r, lvl, x) == + old[pre_stabilize4](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_5 > lvl + $_levelVar_6 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region](IncDec_state(r, lvl, x)) + $_levelVar_7 := $_levelVar_5 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@50.5) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize5](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@50.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(IncDec_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + exhale acc(IncDec_INC(r), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(IncDec_INC(r), write) + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_8 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v + k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + assert old[pre_use_atomic](IncDec_state(r, lvl, x)) == + IncDec_state(r, lvl, x) || + old[pre_use_atomic](IncDec_state(r, lvl, x)) < + IncDec_state(r, lvl, x) + $_levelVar_9 := $_levelVar_7 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions IncDec (after use-atomic@54.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize6](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after use-atomic@54.5) END + + assert $_levelVar_9 == $_levelVar_5 + } + $_levelVar_10 := $_levelVar_5 + + // ------- while END --------------- + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + +} + +method decrement(r: Ref, lvl: Int, x: Ref, k: Int) returns (ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_DEC(r), write) && + k > 0 + ensures acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_DEC(r), write) && + IncDec_state(r, lvl, x) >= old(IncDec_state(r, lvl, x)) - k +{ + var b: Bool + var v: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + var $_levelVar_20: Int + inhale $_levelVar_11 >= 0 && $_levelVar_11 > lvl + assert $_levelVar_11 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize7 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(8, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(8, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize7](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize7](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + perm(IncDec_INC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize7](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + perm(IncDec_DEC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize7](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (perm(IncDec_INC(r)) == none && perm(IncDec_DEC(r)) == none))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(8, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(8, r, lvl, x) == + old[pre_stabilize7](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_11 > lvl + $_levelVar_12 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region2](IncDec_state(r, lvl, x)) + $_levelVar_13 := $_levelVar_11 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@73.5) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize8](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@73.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic2 + assert perm(IncDec_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_13 > lvl + $_levelVar_14 := lvl + exhale acc(IncDec_DEC(r), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(IncDec_DEC(r), write) + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call2 + assert $_levelVar_14 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call2](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v - k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call2](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + assert old[pre_use_atomic2](IncDec_state(r, lvl, x)) == + IncDec_state(r, lvl, x) || + IncDec_state(r, lvl, x) < old[pre_use_atomic2](IncDec_state(r, lvl, x)) + $_levelVar_15 := $_levelVar_13 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions IncDec (after use-atomic@77.5) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(10, $r, $lvl, $x)) } + none < old[pre_stabilize9](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(10, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize9](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(10, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(10, $r, $lvl, $x) == + old[pre_stabilize9](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after use-atomic@77.5) END + + + // ------- while BEGIN ------------- + + label preWhile + while (!b) + invariant acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_DEC(r), write) && + k > 0 + invariant (!b ? + IncDec_state(r, lvl, x) >= old(IncDec_state(r, lvl, x)) : + IncDec_state(r, lvl, x) >= old(IncDec_state(r, lvl, x)) - k) + { + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(IncDec_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { IncDec_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(IncDec_atomicity_context_fp($r, $lvl, $x))) ==> + IncDec_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](IncDec_atomicity_context_hf($r, $lvl, $x))) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize10 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(11, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(11, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize10](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + perm(IncDec_INC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + perm(IncDec_DEC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (perm(IncDec_INC(r)) == none && perm(IncDec_DEC(r)) == none))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(11, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(11, r, lvl, x) == + old[pre_stabilize10](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region3 + assert $_levelVar_15 > lvl + $_levelVar_16 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region3](IncDec_state(r, lvl, x)) + $_levelVar_17 := $_levelVar_15 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@73.5) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(12, $r, $lvl, $x)) } + none < old[pre_stabilize11](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(12, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize11](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(12, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(12, $r, $lvl, $x) == + old[pre_stabilize11](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@73.5) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic3 + assert perm(IncDec_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_17 > lvl + $_levelVar_18 := lvl + exhale acc(IncDec_DEC(r), write) + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(IncDec_DEC(r), write) + exhale acc(IncDec(r, lvl, x), perm(IncDec(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call3 + assert $_levelVar_18 >= 0 + assert true + exhale acc(x.$memcell_$val, write) && true + b := havoc_Bool() + inhale (old[pre_call3](x.$memcell_$val) == v ? + b && (acc(x.$memcell_$val, write) && x.$memcell_$val == v - k) : + !b && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old[pre_call3](x.$memcell_$val))) + + // ------- call:CAS END ------------ + + fold acc(IncDec(r, lvl, x), write) + assert old[pre_use_atomic3](IncDec_state(r, lvl, x)) == + IncDec_state(r, lvl, x) || + IncDec_state(r, lvl, x) < + old[pre_use_atomic3](IncDec_state(r, lvl, x)) + $_levelVar_19 := $_levelVar_17 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions IncDec (after use-atomic@77.5) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(13, $r, $lvl, $x)) } + none < old[pre_stabilize12](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(13, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize12](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(13, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(13, $r, $lvl, $x) == + old[pre_stabilize12](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after use-atomic@77.5) END + + assert $_levelVar_19 == $_levelVar_15 + } + $_levelVar_20 := $_levelVar_15 + + // ------- while END --------------- + + + // ------- assign BEGIN ------------ + + ret := v + + // ------- assign END -------------- + +} + +method read(r: Ref, lvl: Int, x: Ref) returns (ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) + ensures acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_21: Int + var $_levelVar_22: Int + var $_levelVar_23: Int + inhale $_levelVar_21 >= 0 && $_levelVar_21 > lvl + assert $_levelVar_21 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(IncDec(r, lvl, x), write) + + // ------- Stabilising regions IncDec (infer context for open-region) BEGIN + + label pre_stabilize13 + + // Stabilising single instance of region IncDec + quasihavoc IncDec_interferenceContext_fp(r, lvl, x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(14, r, lvl, x)) } + ($$_m in IncDec_interferenceSet_hf(14, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(IncDec_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in IncDec_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize13](IncDec_state(r, lvl, x)) || + (IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize13](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_n(r, lvl, x) < IncDec_sk_$_action_m(r, lvl, x) && + perm(IncDec_INC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize13](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + IncDec_sk_$_action_m(r, lvl, x) < IncDec_sk_$_action_n(r, lvl, x) && + perm(IncDec_DEC(r)) == none || + IncDec_sk_$_action_n(r, lvl, x) == + old[pre_stabilize13](IncDec_state(r, lvl, x)) && + IncDec_sk_$_action_m(r, lvl, x) == $$_m && + true && + (perm(IncDec_INC(r)) == none && perm(IncDec_DEC(r)) == none))))) + quasihavoc IncDec(r, lvl, x) + inhale (IncDec_state(r, lvl, x) in + IncDec_interferenceSet_hf(14, r, lvl, x)) + + // havoc performed by other front resource + + inhale IncDec_interferenceReference_hf(14, r, lvl, x) == + old[pre_stabilize13](IncDec_state(r, lvl, x)) + + // ------- Stabilising regions IncDec (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region4 + assert $_levelVar_21 > lvl + $_levelVar_22 := lvl + unfold acc(IncDec(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + ret := x.$memcell_$val + + // ------- heap-read END ----------- + + fold acc(IncDec(r, lvl, x), write) + assert IncDec_state(r, lvl, x) == + old[pre_open_region4](IncDec_state(r, lvl, x)) + $_levelVar_23 := $_levelVar_21 + + // ------- open-region END --------- + + + // ------- Stabilising regions IncDec (after open-region@89.3) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in IncDec_interferenceSet_df(15, $r, $lvl, $x)) } + none < old[pre_stabilize14](perm(IncDec($r, $lvl, $x))) ==> + ($$_m in IncDec_interferenceSet_hf(15, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in IncDec_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize14](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize14](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize14](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize14](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(IncDec($r, $lvl, $x))) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_interferenceSet_hf(15, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(IncDec($r, $lvl, $x))) ==> + IncDec_interferenceReference_hf(15, $r, $lvl, $x) == + old[pre_stabilize14](IncDec_state($r, $lvl, $x))) + + // ------- Stabilising regions IncDec (after open-region@89.3) END + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$val, write) && true + ensures (old(x.$memcell_$val) == now ? + ret && (acc(x.$memcell_$val, write) && x.$memcell_$val == thn) : + !ret && + (acc(x.$memcell_$val, write) && + x.$memcell_$val == old(x.$memcell_$val))) + + +method $_IncDec_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$val, write) && true + + // ------- Stabilising regions IncDec (check stability of region interpretation) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))) + + // ------- Stabilising regions IncDec (check stability of region interpretation) END + + assert acc(x.$memcell_$val, write) && true +} + +method $_IncDec_action_transitivity_check() +{ + var INC: Bool + var DEC: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_1_x: Int + var $_action_m_1_x: Int + var $_action_n_2_x: Int + var $_action_m_2_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var $_action_n_1_y: Int + var $_action_m_1_y: Int + var $_action_n_2_y: Int + var $_action_m_2_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + INC || + $_action_n_1_x == aState && $_action_m_1_x == bState && + $_action_m_1_x < $_action_n_1_x && + DEC || + $_action_n_2_x == aState && $_action_m_2_x == bState && true && + (INC && DEC) + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + INC || + $_action_n_1_y == bState && $_action_m_1_y == cState && + $_action_m_1_y < $_action_n_1_y && + DEC || + $_action_n_2_y == bState && $_action_m_2_y == cState && true && + (INC && DEC) + assert aState == cState || + aState == aState && cState == cState && aState < cState && INC || + aState == aState && cState == cState && cState < aState && DEC || + aState == aState && cState == cState && true && (INC && DEC) +} + +method $_makeCounter_condition_stability_precondition_check(lvl: Int, r: Ref, + ret: Ref) + requires lvl >= 0 +{ + var $_levelVar_25: Int + var v: Ref + inhale $_levelVar_25 >= 0 + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert lvl >= 0 +} + +method $_increment_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref, k: Int, ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_INC(r), write) && + k > 0 +{ + var $_levelVar_26: Int + var b: Bool + var v: Int + inhale $_levelVar_26 >= 0 && $_levelVar_26 > lvl + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize17](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize17](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize17](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize17](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_INC(r), write) && + k > 0 +} + +method $_decrement_condition_stability_precondition_check(r: Ref, lvl: Int, + x: Ref, k: Int, ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_DEC(r), write) && + k > 0 +{ + var $_levelVar_27: Int + var b: Bool + var v: Int + inhale $_levelVar_27 >= 0 && $_levelVar_27 > lvl + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize18 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize18](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize18](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) && + acc(IncDec_DEC(r), write) && + k > 0 +} + +method $_read_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref, + ret: Int) + requires acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_28: Int + inhale $_levelVar_28 >= 0 && $_levelVar_28 > lvl + inhale acc(IncDec_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(IncDec_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions IncDec (check stability of method condition) BEGIN + + label pre_stabilize19 + + // Stabilising all instances of region IncDec + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: IncDec($$r, $$lvl, $$x) + exhale acc(IncDec_sk_fp(), write) + inhale acc(IncDec_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [IncDec($r, $lvl, $x)] :: none < + old[pre_stabilize19](perm(IncDec($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(IncDec_atomicity_context_fp($r, $lvl, $x)) ==> + (IncDec_state($r, $lvl, $x) in + IncDec_atomicity_context_hf($r, $lvl, $x))) && + (IncDec_state($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) || + (IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_n($r, $lvl, $x) < + IncDec_sk_$_action_m($r, $lvl, $x) && + perm(IncDec_INC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + IncDec_sk_$_action_m($r, $lvl, $x) < + IncDec_sk_$_action_n($r, $lvl, $x) && + perm(IncDec_DEC($r)) == none || + IncDec_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize19](IncDec_state($r, $lvl, $x)) && + IncDec_sk_$_action_m($r, $lvl, $x) == IncDec_state($r, $lvl, $x) && + true && + (perm(IncDec_INC($r)) == none && perm(IncDec_DEC($r)) == none)))) + + // ------- Stabilising regions IncDec (check stability of method condition) END + + assert acc(IncDec(r, lvl, x), write) && (lvl >= 0 && true) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/SpinLock.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/SpinLock.vl.vpr new file mode 100644 index 00000000..4e21bc53 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/SpinLock.vl.vpr @@ -0,0 +1,951 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function SLock_state_T(r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceReference_Domain { + + function SLock_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function SLock_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function SLock_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$f: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function SLock_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(SLock_atomicity_context_fp(r, lvl, x), write) + ensures [SLock_atomicity_context_df(r, lvl, x), true] + + +function SLock_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(SLock_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in SLock_interferenceSet_df($p0, r, lvl, x))), + true] + + +function SLock_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(SLock_interferenceContext_fp(r, lvl, x), write) + ensures [SLock_interferenceReference_df($p0, r, lvl, x), true] + + +function SLock_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(SLock_sk_fp(), write) + + +function SLock_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(SLock_sk_fp(), write) + + +function SLock_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(SLock(r, lvl, x), write) + ensures [SLock_state_T(r, lvl, x), true] +{ + (unfolding acc(SLock(r, lvl, x), write) in x.$memcell_$f) +} + +predicate SLock_LOCK($r: Ref) + +predicate SLock_UNLOCK($r: Ref) + +predicate SLock_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate SLock_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate SLock_sk_fp() + +predicate SLock(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 ? acc(SLock_UNLOCK(r), write) : true) +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Ref() returns ($r: Ref) + + +method havoc_Int() returns ($r: Int) + + +method ___silicon_hack407_havoc_all_SLock() + + +method ___silicon_hack407_havoc_all_SLock_interferenceContext_fp() + + +method makeLock(lvl: Int) returns (ret: Ref, r: Ref) + requires lvl >= 0 + ensures acc(SLock(r, lvl, ret), write) && (lvl >= 0 && true) && + acc(SLock_LOCK(r), write) +{ + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(ret.$memcell_$f, write) && ret.$memcell_$f == 0 + + // ------- inhale END -------------- + + + // ------- havoc BEGIN ------------- + + r := havoc_Ref() + + // ------- havoc END --------------- + + + // ------- inhale BEGIN ------------ + + inhale acc(SLock_LOCK(r), write) && acc(SLock_UNLOCK(r), write) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(SLock(r, lvl, ret), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method acquire(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && (lvl >= 0 && true) && + acc(SLock_LOCK(r), write) + ensures acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_LOCK(r), write) && + acc(SLock_UNLOCK(r), write) +{ + var b: Bool + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(SLock(r, lvl, x), write) + + // ------- Stabilising regions SLock (infer context for use-atomic) BEGIN + + label pre_stabilize0 + + // Stabilising single instance of region SLock + quasihavoc SLock_interferenceContext_fp(r, lvl, x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(1, r, lvl, x)) } + ($$_m in SLock_interferenceSet_hf(1, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(SLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in SLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize0](SLock_state(r, lvl, x)) || + (0 == old[pre_stabilize0](SLock_state(r, lvl, x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize0](SLock_state(r, lvl, x)) && 0 == $$_m && true && + perm(SLock_UNLOCK(r)) == none || + SLock_sk_$_action_n(r, lvl, x) == + old[pre_stabilize0](SLock_state(r, lvl, x)) && + SLock_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && perm(SLock_UNLOCK(r)) == none))))) + quasihavoc SLock(r, lvl, x) + inhale (SLock_state(r, lvl, x) in SLock_interferenceSet_hf(1, r, lvl, x)) + + // havoc performed by other front resource + + inhale SLock_interferenceReference_hf(1, r, lvl, x) == + old[pre_stabilize0](SLock_state(r, lvl, x)) + + // ------- Stabilising regions SLock (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(SLock_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_1 > lvl + $_levelVar_2 := lvl + exhale acc(SLock_LOCK(r), write) + unfold acc(SLock(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(SLock_LOCK(r), write) + exhale acc(SLock(r, lvl, x), perm(SLock(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_2 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$f) == 0 ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call0](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(SLock(r, lvl, x), write) + assert old[pre_use_atomic0](SLock_state(r, lvl, x)) == + SLock_state(r, lvl, x) || + 0 == old[pre_use_atomic0](SLock_state(r, lvl, x)) && + 1 == SLock_state(r, lvl, x) + $_levelVar_3 := $_levelVar_1 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions SLock (after use-atomic@46.5) BEGIN + + label pre_stabilize + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize](perm(SLock($r, $lvl, $x))) ==> + ($$_m in SLock_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in SLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize](SLock_state($r, $lvl, $x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize](SLock_state($r, $lvl, $x)) && 0 == $$_m && + true && + perm(SLock_UNLOCK($r)) == none || + SLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](SLock_state($r, $lvl, $x)) && + SLock_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && perm(SLock_UNLOCK($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(SLock($r, $lvl, $x))) ==> + (SLock_state($r, $lvl, $x) in + SLock_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(SLock($r, $lvl, $x))) ==> + SLock_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize](SLock_state($r, $lvl, $x))) + + // ------- Stabilising regions SLock (after use-atomic@46.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (!b) + invariant acc(SLock(r, lvl, x), write) && (lvl >= 0 && true) && + acc(SLock_LOCK(r), write) + invariant (b ? + SLock_state(r, lvl, x) == 1 && acc(SLock_UNLOCK(r), write) : + true) + { + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(SLock_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { SLock_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(SLock_atomicity_context_fp($r, $lvl, $x))) ==> + SLock_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](SLock_atomicity_context_hf($r, $lvl, $x))) + assert acc(SLock(r, lvl, x), write) + + // ------- Stabilising regions SLock (infer context for use-atomic) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region SLock + quasihavoc SLock_interferenceContext_fp(r, lvl, x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(3, r, lvl, x)) } + ($$_m in SLock_interferenceSet_hf(3, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(SLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in SLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize2](SLock_state(r, lvl, x)) || + (0 == old[pre_stabilize2](SLock_state(r, lvl, x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize2](SLock_state(r, lvl, x)) && 0 == $$_m && + true && + perm(SLock_UNLOCK(r)) == none || + SLock_sk_$_action_n(r, lvl, x) == + old[pre_stabilize2](SLock_state(r, lvl, x)) && + SLock_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && perm(SLock_UNLOCK(r)) == none))))) + quasihavoc SLock(r, lvl, x) + inhale (SLock_state(r, lvl, x) in + SLock_interferenceSet_hf(3, r, lvl, x)) + + // havoc performed by other front resource + + inhale SLock_interferenceReference_hf(3, r, lvl, x) == + old[pre_stabilize2](SLock_state(r, lvl, x)) + + // ------- Stabilising regions SLock (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic + assert perm(SLock_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_3 > lvl + $_levelVar_4 := lvl + exhale acc(SLock_LOCK(r), write) + unfold acc(SLock(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(SLock_LOCK(r), write) + exhale acc(SLock(r, lvl, x), perm(SLock(r, lvl, x))) + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_4 >= 0 + assert true + exhale acc(x.$memcell_$f, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$f) == 0 ? + b && (acc(x.$memcell_$f, write) && x.$memcell_$f == 1) : + !b && + (acc(x.$memcell_$f, write) && + x.$memcell_$f == old[pre_call](x.$memcell_$f))) + + // ------- call:CAS END ------------ + + fold acc(SLock(r, lvl, x), write) + assert old[pre_use_atomic](SLock_state(r, lvl, x)) == + SLock_state(r, lvl, x) || + 0 == old[pre_use_atomic](SLock_state(r, lvl, x)) && + 1 == SLock_state(r, lvl, x) + $_levelVar_5 := $_levelVar_3 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions SLock (after use-atomic@46.5) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(SLock($r, $lvl, $x))) ==> + ($$_m in SLock_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in SLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize3](SLock_state($r, $lvl, $x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize3](SLock_state($r, $lvl, $x)) && 0 == $$_m && + true && + perm(SLock_UNLOCK($r)) == none || + SLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](SLock_state($r, $lvl, $x)) && + SLock_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && perm(SLock_UNLOCK($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(SLock($r, $lvl, $x))) ==> + (SLock_state($r, $lvl, $x) in + SLock_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(SLock($r, $lvl, $x))) ==> + SLock_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize3](SLock_state($r, $lvl, $x))) + + // ------- Stabilising regions SLock (after use-atomic@46.5) END + + assert $_levelVar_5 == $_levelVar_3 + } + $_levelVar_6 := $_levelVar_3 + + // ------- while END --------------- + +} + +method release(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_UNLOCK(r), write) + ensures acc(SLock(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + inhale $_levelVar_7 >= 0 && $_levelVar_7 > lvl + assert $_levelVar_7 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(SLock(r, lvl, x), write) + + // ------- Stabilising regions SLock (infer context for use-atomic) BEGIN + + label pre_stabilize4 + + // Stabilising single instance of region SLock + quasihavoc SLock_interferenceContext_fp(r, lvl, x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(5, r, lvl, x)) } + ($$_m in SLock_interferenceSet_hf(5, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(SLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in SLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize4](SLock_state(r, lvl, x)) || + (0 == old[pre_stabilize4](SLock_state(r, lvl, x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize4](SLock_state(r, lvl, x)) && 0 == $$_m && true && + perm(SLock_UNLOCK(r)) == none || + SLock_sk_$_action_n(r, lvl, x) == + old[pre_stabilize4](SLock_state(r, lvl, x)) && + SLock_sk_$_action_m(r, lvl, x) == $$_m && + true && + (true && perm(SLock_UNLOCK(r)) == none))))) + quasihavoc SLock(r, lvl, x) + inhale (SLock_state(r, lvl, x) in SLock_interferenceSet_hf(5, r, lvl, x)) + + // havoc performed by other front resource + + inhale SLock_interferenceReference_hf(5, r, lvl, x) == + old[pre_stabilize4](SLock_state(r, lvl, x)) + + // ------- Stabilising regions SLock (infer context for use-atomic) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic2 + assert perm(SLock_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + exhale acc(SLock_UNLOCK(r), write) + unfold acc(SLock(r, lvl, x), write) + + // no interference context translation needed + + inhale acc(SLock_UNLOCK(r), write) + exhale acc(SLock(r, lvl, x), perm(SLock(r, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$f := 0 + + // ------- heap-write END ---------- + + fold acc(SLock(r, lvl, x), write) + assert old[pre_use_atomic2](SLock_state(r, lvl, x)) == + SLock_state(r, lvl, x) || + 1 == old[pre_use_atomic2](SLock_state(r, lvl, x)) && + 0 == SLock_state(r, lvl, x) + $_levelVar_9 := $_levelVar_7 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions SLock (after use-atomic@56.3) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in SLock_interferenceSet_df(6, $r, $lvl, $x)) } + none < old[pre_stabilize5](perm(SLock($r, $lvl, $x))) ==> + ($$_m in SLock_interferenceSet_hf(6, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in SLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize5](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize5](SLock_state($r, $lvl, $x)) && 1 == $$_m && + true && + true || + 1 == old[pre_stabilize5](SLock_state($r, $lvl, $x)) && 0 == $$_m && + true && + perm(SLock_UNLOCK($r)) == none || + SLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](SLock_state($r, $lvl, $x)) && + SLock_sk_$_action_m($r, $lvl, $x) == $$_m && + true && + (true && perm(SLock_UNLOCK($r)) == none)))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(SLock($r, $lvl, $x))) ==> + (SLock_state($r, $lvl, $x) in + SLock_interferenceSet_hf(6, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(SLock($r, $lvl, $x))) ==> + SLock_interferenceReference_hf(6, $r, $lvl, $x) == + old[pre_stabilize5](SLock_state($r, $lvl, $x))) + + // ------- Stabilising regions SLock (after use-atomic@56.3) END + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$f, write) && true + ensures (old(x.$memcell_$f) == now ? + ret && (acc(x.$memcell_$f, write) && x.$memcell_$f == thn) : + !ret && + (acc(x.$memcell_$f, write) && x.$memcell_$f == old(x.$memcell_$f))) + + +method $_SLock_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 ? acc(SLock_UNLOCK(r), write) : true) + + // ------- Stabilising regions SLock (check stability of region interpretation) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize6](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize6](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize6](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none || + SLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](SLock_state($r, $lvl, $x)) && + SLock_sk_$_action_m($r, $lvl, $x) == SLock_state($r, $lvl, $x) && + true && + (true && perm(SLock_UNLOCK($r)) == none)))) + + // ------- Stabilising regions SLock (check stability of region interpretation) END + + assert acc(x.$memcell_$f, write) && true && + (x.$memcell_$f == 0 ? acc(SLock_UNLOCK(r), write) : true) +} + +method $_SLock_action_transitivity_check() +{ + var LOCK: Bool + var UNLOCK: Bool + var $_action_n_2_x: Int + var $_action_m_2_x: Int + var $_action_n_2_y: Int + var $_action_m_2_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || 0 == aState && 1 == bState && true && LOCK || + 1 == aState && 0 == bState && true && UNLOCK || + $_action_n_2_x == aState && $_action_m_2_x == bState && true && + (LOCK && UNLOCK) + inhale bState == cState || 0 == bState && 1 == cState && true && LOCK || + 1 == bState && 0 == cState && true && UNLOCK || + $_action_n_2_y == bState && $_action_m_2_y == cState && true && + (LOCK && UNLOCK) + assert aState == cState || 0 == aState && 1 == cState && true && LOCK || + 1 == aState && 0 == cState && true && UNLOCK || + aState == aState && cState == cState && true && (LOCK && UNLOCK) +} + +method $_makeLock_condition_stability_precondition_check(lvl: Int, ret: Ref, + r: Ref) + requires lvl >= 0 +{ + var $_levelVar_11: Int + inhale $_levelVar_11 >= 0 + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions SLock (check stability of method condition) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize7](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize7](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize7](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none || + SLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](SLock_state($r, $lvl, $x)) && + SLock_sk_$_action_m($r, $lvl, $x) == SLock_state($r, $lvl, $x) && + true && + (true && perm(SLock_UNLOCK($r)) == none)))) + + // ------- Stabilising regions SLock (check stability of method condition) END + + assert lvl >= 0 +} + +method $_acquire_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && (lvl >= 0 && true) && + acc(SLock_LOCK(r), write) +{ + var $_levelVar_12: Int + var b: Bool + inhale $_levelVar_12 >= 0 && $_levelVar_12 > lvl + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions SLock (check stability of method condition) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize8](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize8](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize8](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none || + SLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](SLock_state($r, $lvl, $x)) && + SLock_sk_$_action_m($r, $lvl, $x) == SLock_state($r, $lvl, $x) && + true && + (true && perm(SLock_UNLOCK($r)) == none)))) + + // ------- Stabilising regions SLock (check stability of method condition) END + + assert acc(SLock(r, lvl, x), write) && (lvl >= 0 && true) && + acc(SLock_LOCK(r), write) +} + +method $_release_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_UNLOCK(r), write) +{ + var $_levelVar_13: Int + inhale $_levelVar_13 >= 0 && $_levelVar_13 > lvl + inhale acc(SLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(SLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions SLock (check stability of method condition) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region SLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: SLock($$r, $$lvl, $$x) + exhale acc(SLock_sk_fp(), write) + inhale acc(SLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [SLock($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(SLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(SLock_atomicity_context_fp($r, $lvl, $x)) ==> + (SLock_state($r, $lvl, $x) in + SLock_atomicity_context_hf($r, $lvl, $x))) && + (SLock_state($r, $lvl, $x) == + old[pre_stabilize9](SLock_state($r, $lvl, $x)) || + (0 == old[pre_stabilize9](SLock_state($r, $lvl, $x)) && + 1 == SLock_state($r, $lvl, $x) && + true && + true || + 1 == old[pre_stabilize9](SLock_state($r, $lvl, $x)) && + 0 == SLock_state($r, $lvl, $x) && + true && + perm(SLock_UNLOCK($r)) == none || + SLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](SLock_state($r, $lvl, $x)) && + SLock_sk_$_action_m($r, $lvl, $x) == SLock_state($r, $lvl, $x) && + true && + (true && perm(SLock_UNLOCK($r)) == none)))) + + // ------- Stabilising regions SLock (check stability of method condition) END + + assert acc(SLock(r, lvl, x), write) && + (lvl >= 0 && SLock_state(r, lvl, x) == 1) && + acc(SLock_UNLOCK(r), write) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLock.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLock.vl.vpr new file mode 100644 index 00000000..103077c7 --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLock.vl.vpr @@ -0,0 +1,1590 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function TLock_TICKET_T($r: Ref, n: Int): Bool + + function TLock_state_T(r: Ref, lvl: Int, x: Ref): Bool + + axiom TLock_TICKET_T_bottom { + (forall $r: Ref, n: Int :: + { TLock_TICKET_T($r, n) } + TLock_TICKET_T($r, n)) + } +} + +domain interferenceReference_Domain { + + function TLock_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function TLock_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function TLock_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $memcell_$next: Int + +field $memcell_$owner: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function comprehension_12_150($s_0: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == $k >= $s_0) + + +function comprehension_29_170(): Set[Int] + ensures (forall $k: Int ::($k in result) == $k >= 0) + + +function comprehension_16_280($s_0: Int, $s_1: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == ($s_0 <= $k && $k < $s_1)) + + +function TLock_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(TLock_atomicity_context_fp(r, lvl, x), write) + ensures [TLock_atomicity_context_df(r, lvl, x), true] + + +function TLock_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(TLock_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in TLock_interferenceSet_df($p0, r, lvl, x))), + true] + + +function TLock_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_interferenceContext_fp(r, lvl, x), write) + ensures [TLock_interferenceReference_df($p0, r, lvl, x), true] + + +function TLock_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_out0(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock(r, lvl, x), write) +{ + (unfolding acc(TLock(r, lvl, x), write) in x.$memcell_$next) +} + +function TLock_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock(r, lvl, x), write) + ensures [TLock_state_T(r, lvl, x), true] +{ + (unfolding acc(TLock(r, lvl, x), write) in x.$memcell_$owner) +} + +predicate TLock_TICKET($r: Ref, n: Int) + +predicate TLock_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate TLock_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate TLock_sk_fp() + +predicate TLock(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_12_150(x.$memcell_$next)) } + ($a in comprehension_12_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_12_150(x.$memcell_$next)) } + ($a in comprehension_12_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_TLock() + + +method ___silicon_hack407_havoc_all_TLock_interferenceContext_fp() + + +method makeLock(lvl: Int) returns (ret: Ref, r: Ref) + requires lvl >= 0 + ensures acc(TLock(r, lvl, ret), write) && (lvl >= 0 && true) +{ + var k: Int + var $_levelVar_0: Int + inhale $_levelVar_0 >= 0 + assert $_levelVar_0 >= 0 + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- inhale BEGIN ------------ + + inhale acc(ret.$memcell_$next, write) && true && + (acc(ret.$memcell_$owner, write) && true) + + // ------- inhale END -------------- + + + // ------- heap-write BEGIN -------- + + ret.$memcell_$next := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions TLock (after heap-write@25.3) BEGIN + + label pre_stabilize0 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(1, $r, $lvl, $x)) } + none < old[pre_stabilize0](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(1, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize0](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize0](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(1, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize0](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(1, $r, $lvl, $x) == + old[pre_stabilize0](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after heap-write@25.3) END + + + // ------- heap-write BEGIN -------- + + ret.$memcell_$owner := 0 + + // ------- heap-write END ---------- + + + // ------- Stabilising regions TLock (after heap-write@26.3) BEGIN + + label pre_stabilize + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after heap-write@26.3) END + + + // ------- inhale BEGIN ------------ + + inhale (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_29_170()) } + ($a in comprehension_29_170()) ==> TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_29_170()) } + ($a in comprehension_29_170()) ==> acc(TLock_TICKET(r, $a), write)) + + // ------- inhale END -------------- + + + // ------- fold BEGIN -------------- + + fold acc(TLock(r, lvl, ret), write) + assert lvl >= 0 && true + + // ------- fold END ---------------- + +} + +method acquire(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) + ensures acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) +{ + var b: Bool + var t: Int + var v: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + var $_levelVar_5: Int + var $_levelVar_6: Int + var $_levelVar_7: Int + var $_levelVar_8: Int + var $_levelVar_9: Int + var $_levelVar_10: Int + var $_levelVar_11: Int + var $_levelVar_12: Int + var $_levelVar_13: Int + var $_levelVar_14: Int + var $_levelVar_15: Int + inhale $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert $_levelVar_1 >= 0 + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(TLock(r, lvl, x), write) + + // ------- Stabilising regions TLock (infer context for open-region) BEGIN + + label pre_stabilize2 + + // Stabilising single instance of region TLock + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(3, r, lvl, x)) } + ($$_m in TLock_interferenceSet_hf(3, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(TLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in TLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize2](TLock_state(r, lvl, x)) || + TLock_sk_$_action_n(r, lvl, x) == + old[pre_stabilize2](TLock_state(r, lvl, x)) && + TLock_sk_$_action_m(r, lvl, x) == $$_m && + TLock_sk_$_action_n(r, lvl, x) < TLock_sk_$_action_m(r, lvl, x) && + (forall $$a: Int :: + { TLock_TICKET_T(r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) ==> + perm(TLock_TICKET(r, $$a)) == none)))) + quasihavoc TLock(r, lvl, x) + inhale (TLock_state(r, lvl, x) in TLock_interferenceSet_hf(3, r, lvl, x)) + + // havoc performed by other front resource + + inhale TLock_interferenceReference_hf(3, r, lvl, x) == + old[pre_stabilize2](TLock_state(r, lvl, x)) + + // ------- Stabilising regions TLock (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_1 > lvl + $_levelVar_2 := lvl + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + t := x.$memcell_$next + + // ------- heap-read END ----------- + + fold acc(TLock(r, lvl, x), write) + assert TLock_state(r, lvl, x) == + old[pre_open_region0](TLock_state(r, lvl, x)) + $_levelVar_3 := $_levelVar_1 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock (after open-region@46.5) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize3](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after open-region@46.5) END + + + // ------- open-region BEGIN ------- + + label pre_open_region + assert $_levelVar_3 > lvl + $_levelVar_4 := lvl + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call0 + assert $_levelVar_4 >= 0 + assert true + exhale acc(x.$memcell_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call0](x.$memcell_$next) == t ? + b && (acc(x.$memcell_$next, write) && x.$memcell_$next == t + 1) : + !b && + (acc(x.$memcell_$next, write) && + x.$memcell_$next == old[pre_call0](x.$memcell_$next))) + + // ------- call:CAS END ------------ + + fold acc(TLock(r, lvl, x), write) + assert TLock_state(r, lvl, x) == + old[pre_open_region](TLock_state(r, lvl, x)) + $_levelVar_5 := $_levelVar_3 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock (after open-region@50.5) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize4](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after open-region@50.5) END + + + // ------- while BEGIN ------------- + + label preWhile0 + while (!b) + invariant acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) + invariant (b ? + TLock_TICKET_T(r, t) && acc(TLock_TICKET(r, t), write) && + t >= TLock_state(r, lvl, x) : + true) + { + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_atomicity_context_fp($r, + $lvl, $x), old[preWhile0](perm(TLock_atomicity_context_fp($r, $lvl, + $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { TLock_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile0](perm(TLock_atomicity_context_fp($r, $lvl, $x))) ==> + TLock_atomicity_context_hf($r, $lvl, $x) == + old[preWhile0](TLock_atomicity_context_hf($r, $lvl, $x))) + assert acc(TLock(r, lvl, x), write) + + // ------- Stabilising regions TLock (infer context for open-region) BEGIN + + label pre_stabilize5 + + // Stabilising single instance of region TLock + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(6, r, lvl, x)) } + ($$_m in TLock_interferenceSet_hf(6, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(TLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in TLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize5](TLock_state(r, lvl, x)) || + TLock_sk_$_action_n(r, lvl, x) == + old[pre_stabilize5](TLock_state(r, lvl, x)) && + TLock_sk_$_action_m(r, lvl, x) == $$_m && + TLock_sk_$_action_n(r, lvl, x) < TLock_sk_$_action_m(r, lvl, x) && + (forall $$a: Int :: + { TLock_TICKET_T(r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) ==> + perm(TLock_TICKET(r, $$a)) == none)))) + quasihavoc TLock(r, lvl, x) + inhale (TLock_state(r, lvl, x) in + TLock_interferenceSet_hf(6, r, lvl, x)) + + // havoc performed by other front resource + + inhale TLock_interferenceReference_hf(6, r, lvl, x) == + old[pre_stabilize5](TLock_state(r, lvl, x)) + + // ------- Stabilising regions TLock (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region2 + assert $_levelVar_5 > lvl + $_levelVar_6 := lvl + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + t := x.$memcell_$next + + // ------- heap-read END ----------- + + fold acc(TLock(r, lvl, x), write) + assert TLock_state(r, lvl, x) == + old[pre_open_region2](TLock_state(r, lvl, x)) + $_levelVar_7 := $_levelVar_5 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock (after open-region@46.5) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(7, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(7, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(7, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(7, $r, $lvl, $x) == + old[pre_stabilize6](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after open-region@46.5) END + + + // ------- open-region BEGIN ------- + + label pre_open_region3 + assert $_levelVar_7 > lvl + $_levelVar_8 := lvl + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + + // ------- call:CAS BEGIN ---------- + + assert true + label pre_call + assert $_levelVar_8 >= 0 + assert true + exhale acc(x.$memcell_$next, write) && true + b := havoc_Bool() + inhale (old[pre_call](x.$memcell_$next) == t ? + b && (acc(x.$memcell_$next, write) && x.$memcell_$next == t + 1) : + !b && + (acc(x.$memcell_$next, write) && + x.$memcell_$next == old[pre_call](x.$memcell_$next))) + + // ------- call:CAS END ------------ + + fold acc(TLock(r, lvl, x), write) + assert TLock_state(r, lvl, x) == + old[pre_open_region3](TLock_state(r, lvl, x)) + $_levelVar_9 := $_levelVar_7 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock (after open-region@50.5) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(8, $r, $lvl, $x)) } + none < old[pre_stabilize7](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(8, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize7](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(8, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(8, $r, $lvl, $x) == + old[pre_stabilize7](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after open-region@50.5) END + + assert $_levelVar_9 == $_levelVar_5 + } + $_levelVar_10 := $_levelVar_5 + + // ------- while END --------------- + + + // ------- open-region BEGIN ------- + + label pre_open_region4 + assert $_levelVar_10 > lvl + $_levelVar_11 := lvl + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$owner + + // ------- heap-read END ----------- + + fold acc(TLock(r, lvl, x), write) + assert TLock_state(r, lvl, x) == + old[pre_open_region4](TLock_state(r, lvl, x)) + $_levelVar_12 := $_levelVar_10 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock (after open-region@60.5) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(9, $r, $lvl, $x)) } + none < old[pre_stabilize8](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(9, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize8](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(9, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(9, $r, $lvl, $x) == + old[pre_stabilize8](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after open-region@60.5) END + + + // ------- while BEGIN ------------- + + label preWhile + while (v < t) + invariant acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) && + (TLock_TICKET_T(r, t) && acc(TLock_TICKET(r, t), write)) + invariant t >= TLock_state(r, lvl, x) && TLock_state(r, lvl, x) >= v + { + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_atomicity_context_fp($r, + $lvl, $x), old[preWhile](perm(TLock_atomicity_context_fp($r, $lvl, $x))))) + inhale (forall $r: Ref, $lvl: Int, $x: Ref :: + { TLock_atomicity_context_df($r, $lvl, $x) } + none < + old[preWhile](perm(TLock_atomicity_context_fp($r, $lvl, $x))) ==> + TLock_atomicity_context_hf($r, $lvl, $x) == + old[preWhile](TLock_atomicity_context_hf($r, $lvl, $x))) + assert acc(TLock(r, lvl, x), write) + + // ------- Stabilising regions TLock (infer context for open-region) BEGIN + + label pre_stabilize9 + + // Stabilising single instance of region TLock + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(10, r, lvl, x)) } + ($$_m in TLock_interferenceSet_hf(10, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(TLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in TLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize9](TLock_state(r, lvl, x)) || + TLock_sk_$_action_n(r, lvl, x) == + old[pre_stabilize9](TLock_state(r, lvl, x)) && + TLock_sk_$_action_m(r, lvl, x) == $$_m && + TLock_sk_$_action_n(r, lvl, x) < TLock_sk_$_action_m(r, lvl, x) && + (forall $$a: Int :: + { TLock_TICKET_T(r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) ==> + perm(TLock_TICKET(r, $$a)) == none)))) + quasihavoc TLock(r, lvl, x) + inhale (TLock_state(r, lvl, x) in + TLock_interferenceSet_hf(10, r, lvl, x)) + + // havoc performed by other front resource + + inhale TLock_interferenceReference_hf(10, r, lvl, x) == + old[pre_stabilize9](TLock_state(r, lvl, x)) + + // ------- Stabilising regions TLock (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region5 + assert $_levelVar_12 > lvl + $_levelVar_13 := lvl + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$owner + + // ------- heap-read END ----------- + + fold acc(TLock(r, lvl, x), write) + assert TLock_state(r, lvl, x) == + old[pre_open_region5](TLock_state(r, lvl, x)) + $_levelVar_14 := $_levelVar_12 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock (after open-region@60.5) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(11, $r, $lvl, $x)) } + none < old[pre_stabilize10](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(11, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize10](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize10](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(11, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(11, $r, $lvl, $x) == + old[pre_stabilize10](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after open-region@60.5) END + + assert $_levelVar_14 == $_levelVar_12 + } + $_levelVar_15 := $_levelVar_12 + + // ------- while END --------------- + +} + +method release(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) + ensures acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) +{ + var v: Int + var $_levelVar_16: Int + var $_levelVar_17: Int + var $_levelVar_18: Int + var $_levelVar_19: Int + var $_levelVar_20: Int + inhale $_levelVar_16 >= 0 && $_levelVar_16 > lvl + assert $_levelVar_16 >= 0 + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(TLock(r, lvl, x), write) + + // ------- Stabilising regions TLock (infer context for open-region) BEGIN + + label pre_stabilize11 + + // Stabilising single instance of region TLock + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(12, r, lvl, x)) } + ($$_m in TLock_interferenceSet_hf(12, r, lvl, x)) == + ((none < perm(r.$diamond) && + none < perm(TLock_atomicity_context_fp(r, lvl, x)) ==> + ($$_m in TLock_atomicity_context_hf(r, lvl, x))) && + ($$_m == old[pre_stabilize11](TLock_state(r, lvl, x)) || + TLock_sk_$_action_n(r, lvl, x) == + old[pre_stabilize11](TLock_state(r, lvl, x)) && + TLock_sk_$_action_m(r, lvl, x) == $$_m && + TLock_sk_$_action_n(r, lvl, x) < TLock_sk_$_action_m(r, lvl, x) && + (forall $$a: Int :: + { TLock_TICKET_T(r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n(r, lvl, x), TLock_sk_$_action_m(r, + lvl, x))) ==> + perm(TLock_TICKET(r, $$a)) == none)))) + quasihavoc TLock(r, lvl, x) + inhale (TLock_state(r, lvl, x) in + TLock_interferenceSet_hf(12, r, lvl, x)) + + // havoc performed by other front resource + + inhale TLock_interferenceReference_hf(12, r, lvl, x) == + old[pre_stabilize11](TLock_state(r, lvl, x)) + + // ------- Stabilising regions TLock (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region6 + assert $_levelVar_16 > lvl + $_levelVar_17 := lvl + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + + // ------- heap-read BEGIN --------- + + v := x.$memcell_$owner + + // ------- heap-read END ----------- + + fold acc(TLock(r, lvl, x), write) + assert TLock_state(r, lvl, x) == + old[pre_open_region6](TLock_state(r, lvl, x)) + $_levelVar_18 := $_levelVar_16 + + // ------- open-region END --------- + + + // ------- Stabilising regions TLock (after open-region@74.3) BEGIN + + label pre_stabilize12 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(13, $r, $lvl, $x)) } + none < old[pre_stabilize12](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(13, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize12](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize12](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(13, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize12](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(13, $r, $lvl, $x) == + old[pre_stabilize12](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after open-region@74.3) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(TLock_atomicity_context_fp(r, lvl, x)) == none + assert $_levelVar_18 > lvl + $_levelVar_19 := lvl + exhale TLock_TICKET_T(r, old(TLock_state(r, lvl, x))) && + acc(TLock_TICKET(r, old(TLock_state(r, lvl, x))), write) + unfold acc(TLock(r, lvl, x), write) + + // no interference context translation needed + + inhale TLock_TICKET_T(r, old(TLock_state(r, lvl, x))) && + acc(TLock_TICKET(r, old(TLock_state(r, lvl, x))), write) + exhale acc(TLock(r, lvl, x), perm(TLock(r, lvl, x))) + + // ------- heap-write BEGIN -------- + + x.$memcell_$owner := v + 1 + + // ------- heap-write END ---------- + + inhale perm(TLock_TICKET(r, old(TLock_state(r, lvl, x)))) <= write + fold acc(TLock(r, lvl, x), write) + assert old[pre_use_atomic0](TLock_state(r, lvl, x)) == + TLock_state(r, lvl, x) || + old[pre_use_atomic0](TLock_state(r, lvl, x)) < TLock_state(r, lvl, x) && + (forall $a: Int ::($a in + comprehension_16_280(old[pre_use_atomic0](TLock_state(r, lvl, x)), TLock_state(r, + lvl, x))) ==> + $a == old(TLock_state(r, lvl, x))) + $_levelVar_20 := $_levelVar_18 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions TLock (after use-atomic@78.3) BEGIN + + label pre_stabilize13 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(14, $r, $lvl, $x)) } + none < old[pre_stabilize13](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(14, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize13](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize13](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(14, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize13](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(14, $r, $lvl, $x) == + old[pre_stabilize13](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions TLock (after use-atomic@78.3) END + +} + +method CAS(x: Ref, now: Int, thn: Int) returns (ret: Bool) + requires acc(x.$memcell_$next, write) && true + ensures (old(x.$memcell_$next) == now ? + ret && (acc(x.$memcell_$next, write) && x.$memcell_$next == thn) : + !ret && + (acc(x.$memcell_$next, write) && + x.$memcell_$next == old(x.$memcell_$next))) + + +method $_TLock_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_12_150(x.$memcell_$next)) } + ($a in comprehension_12_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_12_150(x.$memcell_$next)) } + ($a in comprehension_12_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner + + // ------- Stabilising regions TLock (check stability of region interpretation) BEGIN + + label pre_stabilize14 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize14](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize14](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize14](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions TLock (check stability of region interpretation) END + + assert acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_12_150(x.$memcell_$next)) } + ($a in comprehension_12_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_12_150(x.$memcell_$next)) } + ($a in comprehension_12_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner +} + +method $_TLock_action_transitivity_check() +{ + var TICKET: Set[Int] + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + (comprehension_16_280($_action_n_0_x, $_action_m_0_x) subset TICKET) + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + (comprehension_16_280($_action_n_0_y, $_action_m_0_y) subset TICKET) + assert aState == cState || + aState == aState && cState == cState && aState < cState && + (comprehension_16_280(aState, cState) subset TICKET) +} + +method $_makeLock_condition_stability_precondition_check(lvl: Int, ret: Ref, + r: Ref) + requires lvl >= 0 +{ + var $_levelVar_22: Int + inhale $_levelVar_22 >= 0 + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions TLock (check stability of method condition) BEGIN + + label pre_stabilize15 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize15](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize15](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize15](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions TLock (check stability of method condition) END + + assert lvl >= 0 +} + +method $_acquire_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) +{ + var $_levelVar_23: Int + var b: Bool + var t: Int + var v: Int + inhale $_levelVar_23 >= 0 && $_levelVar_23 > lvl + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions TLock (check stability of method condition) BEGIN + + label pre_stabilize16 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize16](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize16](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize16](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions TLock (check stability of method condition) END + + assert acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) +} + +method $_release_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) +{ + var $_levelVar_24: Int + var v: Int + inhale $_levelVar_24 >= 0 && $_levelVar_24 > lvl + inhale acc(TLock_sk_fp(), write) + + // no init required + + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions TLock (check stability of method condition) BEGIN + + label pre_stabilize17 + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize17](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize17](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize17](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_16_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions TLock (check stability of method condition) END + + assert acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLockClient.vl.vpr b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLockClient.vl.vpr new file mode 100644 index 00000000..4dd55aec --- /dev/null +++ b/src/test/resources/biabduction/frontends/voila/voila_evaluation_examples/weak_spec/correct/TicketLockClient.vl.vpr @@ -0,0 +1,1615 @@ +domain $Map[U, V] { + + function Map_keys(m: $Map[U, V]): Set[U] + + function Map_card(m: $Map[U, V]): Int + + function Map_lookup(m: $Map[U, V], u: U): V + + function Map_values(m: $Map[U, V]): Set[V] + + function Map_empty(): $Map[U, V] + + function Map_build(m: $Map[U, V], u: U, v: V): $Map[U, V] + + function Map_equal(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_disjoint(m1: $Map[U, V], m2: $Map[U, V]): Bool + + function Map_union(m1: $Map[U, V], m2: $Map[U, V]): $Map[U, V] + + axiom Map_card_non_neg { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + 0 <= (Map_card(m): Int)) + } + + axiom Map_card_domain { + (forall m: $Map[U, V] :: + { |(Map_keys(m): Set[U])| } + |(Map_keys(m): Set[U])| == (Map_card(m): Int)) + } + + axiom Map_values_def { + (forall m: $Map[U, V], v: V :: + { (v in (Map_values(m): Set[V])) } + (v in (Map_values(m): Set[V])) == + (exists u: U :: (u in (Map_keys(m): Set[U])) && + v == (Map_lookup(m, u): V))) + } + + axiom Map_empty_1 { + (forall u: U :: + { (u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])) } + !((u in (Map_keys((Map_empty(): $Map[U, V])): Set[U])))) + } + + axiom Map_empty_2 { + (forall m: $Map[U, V] :: + { (Map_card(m): Int) } + ((Map_card(m): Int) == 0) == (m == (Map_empty(): $Map[U, V])) && + ((Map_card(m): Int) != 0 ==> + (exists u: U :: (u in (Map_keys(m): Set[U]))))) + } + + axiom Map_build_1 { + (forall m: $Map[U, V], u1: U, u2: U, v: V :: + { (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) } + (u2 == u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u1): V) == v) && + (u2 != u1 ==> + (u2 in (Map_keys((Map_build(m, u1, v): $Map[U, V])): Set[U])) == + (u2 in (Map_keys(m): Set[U])) && + (Map_lookup((Map_build(m, u1, v): $Map[U, V]), u2): V) == + (Map_lookup(m, u2): V))) + } + + axiom Map_build_2 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + (u in (Map_keys(m): Set[U])) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int)) + } + + axiom Map_build_3 { + (forall m: $Map[U, V], u: U, v: V :: + { (Map_card((Map_build(m, u, v): $Map[U, V])): Int) } + !((u in (Map_keys(m): Set[U]))) ==> + (Map_card((Map_build(m, u, v): $Map[U, V])): Int) == + (Map_card(m): Int) + 1) + } + + axiom Map_equality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + (u in (Map_keys(m1): Set[U])) == (u in (Map_keys(m2): Set[U])))) + } + + axiom Map_extensionality { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_equal(m1, m2): Bool) } + (Map_equal(m1, m2): Bool) ==> m1 == m2) + } + + axiom Map_disjoint_def { + (forall m1: $Map[U, V], m2: $Map[U, V] :: + { (Map_disjoint(m1, m2): Bool) } + (Map_disjoint(m1, m2): Bool) == + (forall u: U :: + { (u in (Map_keys(m1): Set[U])) } + { (u in (Map_keys(m2): Set[U])) } + !((u in (Map_keys(m1): Set[U]))) || + !((u in (Map_keys(m2): Set[U]))))) + } + + axiom Map_union_1 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) } + { (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U]))) } + (Map_disjoint(m1, m2): Bool) ==> + (u in (Map_keys((Map_union(m1, m2): $Map[U, V])): Set[U])) == + (u in ((Map_keys(m1): Set[U]) union (Map_keys(m2): Set[U])))) + } + + axiom Map_union_2 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m1): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m1, u): V)) + } + + axiom Map_union_3 { + (forall m1: $Map[U, V], m2: $Map[U, V], u: U :: + { (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) } + (Map_disjoint(m1, m2): Bool) && (u in (Map_keys(m2): Set[U])) ==> + (Map_lookup((Map_union(m1, m2): $Map[U, V]), u): V) == + (Map_lookup(m2, u): V)) + } +} + +domain trigger_functions { + + function Client_state_T(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Bool + + function TLock_TICKET_T($r: Ref, n: Int): Bool + + function TLock_state_T(r: Ref, lvl: Int, x: Ref): Bool + + axiom TLock_TICKET_T_bottom { + (forall $r: Ref, n: Int :: + { TLock_TICKET_T($r, n) } + TLock_TICKET_T($r, n)) + } +} + +domain interferenceReference_Domain { + + function Client_interferenceReference_df($p0: Int, c: Ref, l: Int, z: Ref, + r: Ref, lvl: Int, x: Ref): Bool + + function TLock_interferenceReference_df($p0: Int, r: Ref, lvl: Int, x: Ref): Bool +} + +domain interferenceSet_Domain { + + function Client_interferenceSet_df($p0: Int, c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref): Set[Int] + + function TLock_interferenceSet_df($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] +} + +domain atomicity_context_Domain { + + function Client_atomicity_context_df(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref): Bool + + function TLock_atomicity_context_df(r: Ref, lvl: Int, x: Ref): Bool +} + +field $diamond: Int + +field $stepFrom_int: Int + +field $stepTo_int: Int + +field $dualcell_$left: Int + +field $dualcell_$right: Int + +field $dualcell_$_val: Int + +field $dualcell_$_own: Bool + +field $memcell_$next: Int + +field $memcell_$owner: Int + +function IntSet(): Set[Int] + ensures (forall n: Int ::(n in result)) + + +function NatSet(): Set[Int] + ensures (forall n: Int ::0 <= n == (n in result)) + + +function comprehension_74_280($s_0: Int, $s_1: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == ($s_0 <= $k && $k < $s_1)) + + +function comprehension_85_220(): Set[Int] + ensures (forall $k: Int ::($k in result) == true) + + +function comprehension_70_150($s_0: Int): Set[Int] + ensures (forall $k: Int ::($k in result) == $k >= $s_0) + + +function Client_atomicity_context_hf(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref): Set[Int] + requires acc(Client_atomicity_context_fp(c, l, z, r, lvl, x), write) + ensures [Client_atomicity_context_df(c, l, z, r, lvl, x), true] + + +function Client_interferenceSet_hf($p0: Int, c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref): Set[Int] + requires acc(Client_interferenceContext_fp(c, l, z, r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> + ($_m in Client_interferenceSet_df($p0, c, l, z, r, lvl, x))), + true] + + +function Client_interferenceReference_hf($p0: Int, c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref): Int + requires acc(Client_interferenceContext_fp(c, l, z, r, lvl, x), write) + ensures [Client_interferenceReference_df($p0, c, l, z, r, lvl, x), true] + + +function Client_sk_$_action_n(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Int + requires acc(Client_sk_fp(), write) + + +function Client_sk_$_action_m(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Int + requires acc(Client_sk_fp(), write) + + +function Client_state(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref): Int + requires acc(Client(c, l, z, r, lvl, x), write) + ensures [Client_state_T(c, l, z, r, lvl, x), true] +{ + (unfolding acc(Client(c, l, z, r, lvl, x), write) in z.$dualcell_$_val) +} + +function TLock_atomicity_context_hf(r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(TLock_atomicity_context_fp(r, lvl, x), write) + ensures [TLock_atomicity_context_df(r, lvl, x), true] + + +function TLock_interferenceSet_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Set[Int] + requires acc(TLock_interferenceContext_fp(r, lvl, x), write) + ensures [(forall $_m: Int :: + { ($_m in result) } + ($_m in result) ==> ($_m in TLock_interferenceSet_df($p0, r, lvl, x))), + true] + + +function TLock_interferenceReference_hf($p0: Int, r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_interferenceContext_fp(r, lvl, x), write) + ensures [TLock_interferenceReference_df($p0, r, lvl, x), true] + + +function TLock_sk_$_action_n(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_sk_$_action_m(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock_sk_fp(), write) + + +function TLock_out0(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock(r, lvl, x), write) +{ + (unfolding acc(TLock(r, lvl, x), write) in x.$memcell_$next) +} + +function TLock_state(r: Ref, lvl: Int, x: Ref): Int + requires acc(TLock(r, lvl, x), write) + ensures [TLock_state_T(r, lvl, x), true] +{ + (unfolding acc(TLock(r, lvl, x), write) in x.$memcell_$owner) +} + +predicate Client_Z($r: Ref) + +predicate Client_atomicity_context_fp(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref) + +predicate Client_interferenceContext_fp(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, + x: Ref) + +predicate Client_sk_fp() + +predicate Client(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref) { + acc(z.$dualcell_$_val, write) && true && + (acc(z.$dualcell_$_own, write) && true) && + (acc(TLock(r, lvl, x), write) && (lvl >= 0 && true)) && + lvl < l && + (z.$dualcell_$_own ? + TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write) : + acc(z.$dualcell_$left, write) && z.$dualcell_$left == z.$dualcell_$_val && + (acc(z.$dualcell_$right, write) && + z.$dualcell_$right == z.$dualcell_$_val)) +} + +predicate TLock_TICKET($r: Ref, n: Int) + +predicate TLock_atomicity_context_fp(r: Ref, lvl: Int, x: Ref) + +predicate TLock_interferenceContext_fp(r: Ref, lvl: Int, x: Ref) + +predicate TLock_sk_fp() + +predicate TLock(r: Ref, lvl: Int, x: Ref) { + acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_70_150(x.$memcell_$next)) } + ($a in comprehension_70_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_70_150(x.$memcell_$next)) } + ($a in comprehension_70_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner +} + +method havoc_Bool() returns ($r: Bool) + + +method havoc_Int() returns ($r: Int) + + +method havoc_Ref() returns ($r: Ref) + + +method ___silicon_hack407_havoc_all_Client() + + +method ___silicon_hack407_havoc_all_Client_interferenceContext_fp() + + +method ___silicon_hack407_havoc_all_TLock() + + +method ___silicon_hack407_havoc_all_TLock_interferenceContext_fp() + + +method foo(c: Ref, l: Int, z: Ref, r: Ref, lvl: Int, x: Ref, w: Int) + requires acc(Client(c, l, z, r, lvl, x), write) && (l >= 0 && true) && + acc(Client_Z(c), write) + ensures acc(Client(c, l, z, r, lvl, x), write) && (l >= 0 && true) && + acc(Client_Z(c), write) +{ + var ni: Int + var s1: Bool + var a: Int + var m: Int + var s2: Bool + var $_levelVar_0: Int + var $_levelVar_1: Int + var $_levelVar_2: Int + var $_levelVar_3: Int + var $_levelVar_4: Int + inhale $_levelVar_0 >= 0 && $_levelVar_0 > l + assert $_levelVar_0 >= 0 + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + assert acc(Client(c, l, z, r, lvl, x), write) + + // ------- Stabilising regions Client (infer context for open-region) BEGIN + + label pre_stabilize0 + + // Stabilising single instance of region Client + quasihavoc Client_interferenceContext_fp(c, l, z, r, lvl, x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forall $$_m: Int :: + { ($$_m in Client_interferenceSet_df(1, c, l, z, r, lvl, x)) } + ($$_m in Client_interferenceSet_hf(1, c, l, z, r, lvl, x)) == + ((none < perm(c.$diamond) && + none < perm(Client_atomicity_context_fp(c, l, z, r, lvl, x)) ==> + ($$_m in Client_atomicity_context_hf(c, l, z, r, lvl, x))) && + ($$_m == old[pre_stabilize0](Client_state(c, l, z, r, lvl, x)) || + Client_sk_$_action_n(c, l, z, r, lvl, x) == + old[pre_stabilize0](Client_state(c, l, z, r, lvl, x)) && + Client_sk_$_action_m(c, l, z, r, lvl, x) == $$_m && + true && + true))) + quasihavoc Client(c, l, z, r, lvl, x) + inhale (Client_state(c, l, z, r, lvl, x) in + Client_interferenceSet_hf(1, c, l, z, r, lvl, x)) + + // havoc performed by other front resource + + inhale Client_interferenceReference_hf(1, c, l, z, r, lvl, x) == + old[pre_stabilize0](Client_state(c, l, z, r, lvl, x)) + + // ------- Stabilising regions Client (infer context for open-region) END + + + // ------- open-region BEGIN ------- + + label pre_open_region0 + assert $_levelVar_0 > l + $_levelVar_1 := l + unfold acc(Client(c, l, z, r, lvl, x), write) + label transitionPre0 + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + TLock_interferenceReference_hf(1, r, lvl, x) == + old[transitionPre0](TLock_state(r, lvl, x)) + + // ------- assert BEGIN ------------ + + assert acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) + ni := TLock_state(r, lvl, x) + + // ------- assert END -------------- + + + // ------- call:acquire BEGIN ------ + + assert (forall $_m: Int :: + { ($_m in TLock_interferenceSet_hf(1, r, lvl, x)) } + ($_m in TLock_interferenceSet_hf(1, r, lvl, x)) ==> + ($_m in comprehension_85_220())) + label pre_call0 + assert $_levelVar_1 >= 0 && $_levelVar_1 > lvl + assert true + exhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_state(r, lvl, x) in comprehension_85_220()) + + // ------- Stabilising regions Client,TLock (within call:acquire@28.5) BEGIN + + label pre_stabilize + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (within call:acquire@28.5) END + + inhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && + TLock_state(r, lvl, x) == old[pre_call0](TLock_state(r, lvl, x))) && + (TLock_TICKET_T(r, old[pre_call0](TLock_state(r, lvl, x))) && + acc(TLock_TICKET(r, old[pre_call0](TLock_state(r, lvl, x))), write)) + + // ------- call:acquire END -------- + + inhale perm(TLock_TICKET(r, ni)) <= write + + // ------- havoc BEGIN ------------- + + exhale acc(z.$dualcell_$_own, write) + inhale acc(z.$dualcell_$_own, write) + + // ------- havoc END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$dualcell_$_own, write) && true + s1 := z.$dualcell_$_own + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale s1 == true + + // ------- assume END -------------- + + fold acc(Client(c, l, z, r, lvl, x), write) + assert Client_state(c, l, z, r, lvl, x) == + old[pre_open_region0](Client_state(c, l, z, r, lvl, x)) + $_levelVar_2 := $_levelVar_0 + + // ------- open-region END --------- + + + // ------- Stabilising regions Client,TLock (after open-region@25.3) BEGIN + + label pre_stabilize2 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Client_interferenceSet_df(2, $c, $l, $z, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(2, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize2](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize2](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(2, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(2, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize2](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(2, $r, $lvl, $x)) } + none < old[pre_stabilize2](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(2, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize2](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize2](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(2, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize2](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(2, $r, $lvl, $x) == + old[pre_stabilize2](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after open-region@25.3) END + + + // ------- heap-write BEGIN -------- + + z.$dualcell_$left := w + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Client,TLock (after heap-write@39.3) BEGIN + + label pre_stabilize3 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Client_interferenceSet_df(3, $c, $l, $z, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(3, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize3](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize3](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(3, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(3, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize3](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(3, $r, $lvl, $x)) } + none < old[pre_stabilize3](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(3, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize3](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize3](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(3, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize3](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(3, $r, $lvl, $x) == + old[pre_stabilize3](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after heap-write@39.3) END + + + // ------- heap-write BEGIN -------- + + z.$dualcell_$right := w + + // ------- heap-write END ---------- + + + // ------- Stabilising regions Client,TLock (after heap-write@40.3) BEGIN + + label pre_stabilize4 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Client_interferenceSet_df(4, $c, $l, $z, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(4, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize4](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize4](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(4, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(4, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize4](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(4, $r, $lvl, $x)) } + none < old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(4, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize4](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize4](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(4, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize4](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(4, $r, $lvl, $x) == + old[pre_stabilize4](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after heap-write@40.3) END + + + // ------- use-atomic BEGIN -------- + + label pre_use_atomic0 + assert perm(Client_atomicity_context_fp(c, l, z, r, lvl, x)) == none + assert $_levelVar_2 > l + $_levelVar_3 := l + exhale acc(Client_Z(c), write) + unfold acc(Client(c, l, z, r, lvl, x), write) + label transitionPre + quasihavoc TLock_interferenceContext_fp(r, lvl, x) + + // no additional linking required + + + // havoc performed by other front resource + + inhale true ==> + TLock_interferenceReference_hf(4, r, lvl, x) == + old[transitionPre](TLock_state(r, lvl, x)) + inhale acc(Client_Z(c), write) + exhale acc(Client(c, l, z, r, lvl, x), perm(Client(c, l, z, r, lvl, x))) + + // ------- havoc BEGIN ------------- + + exhale acc(z.$dualcell_$_val, write) + inhale acc(z.$dualcell_$_val, write) + + // ------- havoc END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$dualcell_$_val, write) && true + a := z.$dualcell_$_val + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale a == w + + // ------- assume END -------------- + + + // ------- assert BEGIN ------------ + + assert acc(TLock(r, lvl, x), write) && (lvl >= 0 && true) + m := TLock_state(r, lvl, x) + + // ------- assert END -------------- + + + // ------- havoc BEGIN ------------- + + exhale acc(z.$dualcell_$_own, write) + inhale acc(z.$dualcell_$_own, write) + + // ------- havoc END --------------- + + + // ------- assert BEGIN ------------ + + assert acc(z.$dualcell_$_own, write) && true + s2 := z.$dualcell_$_own + + // ------- assert END -------------- + + + // ------- assume BEGIN ------------ + + inhale s2 == false + + // ------- assume END -------------- + + + // ------- call:release BEGIN ------ + + assert (forall $_m: Int :: + { ($_m in TLock_interferenceSet_hf(4, r, lvl, x)) } + ($_m in TLock_interferenceSet_hf(4, r, lvl, x)) ==> + ($_m in comprehension_85_220())) + label pre_call + assert $_levelVar_3 >= 0 && $_levelVar_3 > lvl + assert true + exhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) && + (TLock_state(r, lvl, x) in comprehension_85_220()) + + // ------- Stabilising regions Client,TLock (within call:release@53.5) BEGIN + + label pre_stabilize5 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize5](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize5](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize5](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize5](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize5](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (within call:release@53.5) END + + inhale acc(TLock(r, lvl, x), write) && + (lvl >= 0 && + TLock_state(r, lvl, x) == old[pre_call](TLock_state(r, lvl, x)) + 1) + + // ------- call:release END -------- + + fold acc(Client(c, l, z, r, lvl, x), write) + assert true + $_levelVar_4 := $_levelVar_2 + + // ------- use-atomic END ---------- + + + // ------- Stabilising regions Client,TLock (after use-atomic@42.3) BEGIN + + label pre_stabilize6 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client_interferenceContext_fp($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in Client_interferenceSet_df(5, $c, $l, $z, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + ($$_m in Client_interferenceSet_hf(5, $c, $l, $z, $r, $lvl, $x)) == + ((none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + ($$_m in Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + ($$_m == + old[pre_stabilize6](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize6](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == $$_m && + true && + true)))) + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_interferenceSet_hf(5, $c, $l, $z, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + Client_interferenceReference_hf(5, $c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize6](Client_state($c, $l, $z, $r, $lvl, $x))) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock_interferenceContext_fp($$r, + $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: (forall $$_m: Int :: + { ($$_m in TLock_interferenceSet_df(5, $r, $lvl, $x)) } + none < old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + ($$_m in TLock_interferenceSet_hf(5, $r, $lvl, $x)) == + ((none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + ($$_m in TLock_atomicity_context_hf($r, $lvl, $x))) && + ($$_m == old[pre_stabilize6](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize6](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == $$_m && + TLock_sk_$_action_n($r, $lvl, $x) < + TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))))) + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + (TLock_state($r, $lvl, $x) in + TLock_interferenceSet_hf(5, $r, $lvl, $x))) + + // havoc performed by other front resource + + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize6](perm(TLock($r, $lvl, $x))) ==> + TLock_interferenceReference_hf(5, $r, $lvl, $x) == + old[pre_stabilize6](TLock_state($r, $lvl, $x))) + + // ------- Stabilising regions Client,TLock (after use-atomic@42.3) END + +} + +method acquire(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) + requires (TLock_state(r, lvl, x) in comprehension_85_220()) + ensures acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == old(TLock_state(r, lvl, x))) && + (TLock_TICKET_T(r, old(TLock_state(r, lvl, x))) && + acc(TLock_TICKET(r, old(TLock_state(r, lvl, x))), write)) +{ + var $_levelVar_5: Int + inhale $_levelVar_5 >= 0 && $_levelVar_5 > lvl + assert $_levelVar_5 >= 0 + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_85_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + inhale false +} + +method release(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) + requires (TLock_state(r, lvl, x) in comprehension_85_220()) + ensures acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == old(TLock_state(r, lvl, x)) + 1) +{ + var $_levelVar_6: Int + inhale $_levelVar_6 >= 0 && $_levelVar_6 > lvl + assert $_levelVar_6 >= 0 + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_85_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + inhale false +} + +method $_Client_interpretation_stability_check(c: Ref, l: Int, z: Ref, r: Ref, + lvl: Int, x: Ref) +{ + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(z.$dualcell_$_val, write) && true && + (acc(z.$dualcell_$_own, write) && true) && + (acc(TLock(r, lvl, x), write) && (lvl >= 0 && true)) && + lvl < l && + (z.$dualcell_$_own ? + TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write) : + acc(z.$dualcell_$left, write) && + z.$dualcell_$left == z.$dualcell_$_val && + (acc(z.$dualcell_$right, write) && + z.$dualcell_$right == z.$dualcell_$_val)) + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) BEGIN + + label pre_stabilize7 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize7](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize7](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize7](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize7](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize7](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) END + + assert acc(z.$dualcell_$_val, write) && true && + (acc(z.$dualcell_$_own, write) && true) && + (acc(TLock(r, lvl, x), write) && (lvl >= 0 && true)) && + lvl < l && + (z.$dualcell_$_own ? + TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write) : + acc(z.$dualcell_$left, write) && + z.$dualcell_$left == z.$dualcell_$_val && + (acc(z.$dualcell_$right, write) && + z.$dualcell_$right == z.$dualcell_$_val)) +} + +method $_Client_action_transitivity_check() +{ + var Z: Bool + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && true && Z + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && true && Z + assert aState == cState || + aState == aState && cState == cState && true && Z +} + +method $_TLock_interpretation_stability_check(r: Ref, lvl: Int, x: Ref) +{ + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_70_150(x.$memcell_$next)) } + ($a in comprehension_70_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_70_150(x.$memcell_$next)) } + ($a in comprehension_70_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) BEGIN + + label pre_stabilize8 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize8](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize8](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize8](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize8](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize8](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of region interpretation) END + + assert acc(x.$memcell_$owner, write) && true && + (acc(x.$memcell_$next, write) && true) && + ((forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_70_150(x.$memcell_$next)) } + ($a in comprehension_70_150(x.$memcell_$next)) ==> + TLock_TICKET_T(r, $a)) && + (forall $a: Int :: + { TLock_TICKET_T(r, $a) } + { ($a in comprehension_70_150(x.$memcell_$next)) } + ($a in comprehension_70_150(x.$memcell_$next)) ==> + acc(TLock_TICKET(r, $a), write))) && + x.$memcell_$next >= x.$memcell_$owner +} + +method $_TLock_action_transitivity_check() +{ + var TICKET: Set[Int] + var $_action_n_0_x: Int + var $_action_m_0_x: Int + var $_action_n_0_y: Int + var $_action_m_0_y: Int + var aState: Int + var bState: Int + var cState: Int + inhale aState == bState || + $_action_n_0_x == aState && $_action_m_0_x == bState && + $_action_n_0_x < $_action_m_0_x && + (comprehension_74_280($_action_n_0_x, $_action_m_0_x) subset TICKET) + inhale bState == cState || + $_action_n_0_y == bState && $_action_m_0_y == cState && + $_action_n_0_y < $_action_m_0_y && + (comprehension_74_280($_action_n_0_y, $_action_m_0_y) subset TICKET) + assert aState == cState || + aState == aState && cState == cState && aState < cState && + (comprehension_74_280(aState, cState) subset TICKET) +} + +method $_foo_condition_stability_precondition_check(c: Ref, l: Int, z: Ref, + r: Ref, lvl: Int, x: Ref, w: Int) + requires acc(Client(c, l, z, r, lvl, x), write) && (l >= 0 && true) && + acc(Client_Z(c), write) +{ + var $_levelVar_7: Int + inhale $_levelVar_7 >= 0 && $_levelVar_7 > l + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + + // ------- Stabilising regions Client,TLock (check stability of method condition) BEGIN + + label pre_stabilize9 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize9](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize9](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize9](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize9](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize9](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of method condition) END + + assert acc(Client(c, l, z, r, lvl, x), write) && (l >= 0 && true) && + acc(Client_Z(c), write) +} + +method $_acquire_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) +{ + var $_levelVar_8: Int + inhale $_levelVar_8 >= 0 && $_levelVar_8 > lvl + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_85_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + + // ------- Stabilising regions Client,TLock (check stability of method condition) BEGIN + + label pre_stabilize10 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize10](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize10](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize10](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize10](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize10](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of method condition) END + + assert acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) +} + +method $_release_condition_stability_precondition_check(r: Ref, lvl: Int, x: Ref) + requires acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) +{ + var $_levelVar_9: Int + inhale $_levelVar_9 >= 0 && $_levelVar_9 > lvl + inhale acc(Client_sk_fp(), write) && acc(TLock_sk_fp(), write) + + // no init required + + + // no init required + + inhale (forall $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref ::acc(Client_interferenceContext_fp($c, + $l, $z, $r, $lvl, $x), write)) + inhale (forall $r: Ref, $lvl: Int, $x: Ref ::acc(TLock_interferenceContext_fp($r, + $lvl, $x), write)) + inhale TLock_interferenceSet_hf(5, r, lvl, x) == comprehension_85_220() + inhale TLock_interferenceReference_hf(5, r, lvl, x) == + old(TLock_state(r, lvl, x)) + + // ------- Stabilising regions Client,TLock (check stability of method condition) BEGIN + + label pre_stabilize11 + + // Stabilising all instances of region Client + quasihavocall $$c: Ref, $$l: Int, $$z: Ref, $$r: Ref, $$lvl: Int, $$x: Ref :: Client($$c, + $$l, $$z, $$r, $$lvl, $$x) + exhale acc(Client_sk_fp(), write) + inhale acc(Client_sk_fp(), write) + inhale (forperm + $c: Ref, $l: Int, $z: Ref, $r: Ref, $lvl: Int, $x: Ref [Client($c, $l, + $z, $r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(Client($c, $l, $z, $r, $lvl, $x))) ==> + (none < perm($c.$diamond) && + none < perm(Client_atomicity_context_fp($c, $l, $z, $r, $lvl, $x)) ==> + (Client_state($c, $l, $z, $r, $lvl, $x) in + Client_atomicity_context_hf($c, $l, $z, $r, $lvl, $x))) && + (Client_state($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize11](Client_state($c, $l, $z, $r, $lvl, $x)) || + Client_sk_$_action_n($c, $l, $z, $r, $lvl, $x) == + old[pre_stabilize11](Client_state($c, $l, $z, $r, $lvl, $x)) && + Client_sk_$_action_m($c, $l, $z, $r, $lvl, $x) == + Client_state($c, $l, $z, $r, $lvl, $x) && + true && + true)) + + // Stabilising all instances of region TLock + quasihavocall $$r: Ref, $$lvl: Int, $$x: Ref :: TLock($$r, $$lvl, $$x) + exhale acc(TLock_sk_fp(), write) + inhale acc(TLock_sk_fp(), write) + inhale (forperm + $r: Ref, $lvl: Int, $x: Ref [TLock($r, $lvl, $x)] :: none < + old[pre_stabilize11](perm(TLock($r, $lvl, $x))) ==> + (none < perm($r.$diamond) && + none < perm(TLock_atomicity_context_fp($r, $lvl, $x)) ==> + (TLock_state($r, $lvl, $x) in + TLock_atomicity_context_hf($r, $lvl, $x))) && + (TLock_state($r, $lvl, $x) == + old[pre_stabilize11](TLock_state($r, $lvl, $x)) || + TLock_sk_$_action_n($r, $lvl, $x) == + old[pre_stabilize11](TLock_state($r, $lvl, $x)) && + TLock_sk_$_action_m($r, $lvl, $x) == TLock_state($r, $lvl, $x) && + TLock_sk_$_action_n($r, $lvl, $x) < TLock_sk_$_action_m($r, $lvl, $x) && + (forall $$a: Int :: + { TLock_TICKET_T($r, $$a) } + { ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) } + ($$a in + comprehension_74_280(TLock_sk_$_action_n($r, $lvl, $x), TLock_sk_$_action_m($r, + $lvl, $x))) ==> + perm(TLock_TICKET($r, $$a)) == none))) + + // ------- Stabilising regions Client,TLock (check stability of method condition) END + + assert acc(TLock(r, lvl, x), write) && + (lvl >= 0 && TLock_state(r, lvl, x) == TLock_state(r, lvl, x)) && + (TLock_TICKET_T(r, TLock_state(r, lvl, x)) && + acc(TLock_TICKET(r, TLock_state(r, lvl, x)), write)) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/nested_sl/destroy.vpr b/src/test/resources/biabduction/grasshopper/nested_sl/destroy.vpr new file mode 100644 index 00000000..47c70cc5 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/nested_sl/destroy.vpr @@ -0,0 +1,32 @@ +import "./nested_def.vpr" + +method destroy(x: Ref) +requires OuterNode(x) +{ + var currO: Ref := x + + while(currO != null) + invariant OuterNode(currO) + { + var currO_old: Ref := currO + unfold OuterNode(currO) + var ic: Ref := currO.down + var currI: Ref := ic + while(currI != null) + invariant InnerNode(currI) + { + var currI_old: Ref := currI + unfold InnerNode(currI) + currI := currI.inext + freeI(currI_old) + } + currO := currO.onext + freeO(currO_old) + } +} + +method freeO(x: Ref) +requires acc(x.onext) && acc(x.down) + +method freeI(x: Ref) +requires acc(x.inext) \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/nested_sl/insert.vpr b/src/test/resources/biabduction/grasshopper/nested_sl/insert.vpr new file mode 100644 index 00000000..1b7c75b1 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/nested_sl/insert.vpr @@ -0,0 +1,101 @@ +import "./nested_def.vpr" + +method insert(x: Ref) returns (res: Ref) +requires OuterNode(x) +ensures OuterNode(res) +{ + if(x == null){ + var inn: Ref := new(*) + inn.inext := null + fold InnerNode(inn.inext) + fold InnerNode(inn) + res := new(*) + res.down := inn + res.onext := null + fold OuterNode(res) + } else { + var nondet: Bool + var currO: Ref := x + + package OuterNode(currO) --* OuterNode(x) + unfold OuterNode(currO) + + while(nondet && currO.onext != null) + invariant acc(currO.onext) && acc(currO.down) && InnerNode(currO.down) + invariant OuterNode(currO.onext) + invariant OuterNode(currO) --* OuterNode(x) + { + nondet := havoc() + var currO_old: Ref := currO + currO := currO.onext + unfold OuterNode(currO) + + package OuterNode(currO) --* OuterNode(x) { + fold OuterNode(currO_old) + apply OuterNode(currO_old) --* OuterNode(x) + } + } + + nondet := havoc() + + // New outer node + if(nondet){ + var currO_old: Ref := currO + var newO: Ref := new(*) + newO.down := null + fold InnerNode(newO.down) + newO.onext := currO.onext + currO.onext := newO + currO := newO + package OuterNode(currO) --* OuterNode(x) { + fold OuterNode(currO_old) + apply OuterNode(currO_old) --* OuterNode(x) + } + } + + // Insert in inner list + if(currO.down == null){ + var i: Ref := new(*) + i.inext := null + fold InnerNode(i) + currO.down := i + } else { + + // Go through inner list + var ic: Ref := currO.down + var currI: Ref := ic + package InnerNode(currI) --* InnerNode(ic) + unfold InnerNode(currI) + nondet := havoc() + + while(nondet && currI.inext != null) + invariant acc(currI.inext) + invariant InnerNode(currI.inext) + invariant InnerNode(currI) --* InnerNode(ic) + { + nondet := havoc() + + var currI_old: Ref := currI + currI := currI.inext + unfold InnerNode(currI) + package InnerNode(currI) --* InnerNode(ic){ + fold InnerNode(currI_old) + apply InnerNode(currI_old) --* InnerNode(ic) + } + } + + var i: Ref := new(*) + i.inext := currI.inext + fold InnerNode(i) + currI.inext := i + fold InnerNode(currI) + apply InnerNode(currI) --* InnerNode(ic) + } + + fold OuterNode(currO) + apply OuterNode(currO) --* OuterNode(x) + res := x + } +} + +method havoc() returns (res: Bool) \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/nested_sl/nested_def.vpr b/src/test/resources/biabduction/grasshopper/nested_sl/nested_def.vpr new file mode 100644 index 00000000..e30627a9 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/nested_sl/nested_def.vpr @@ -0,0 +1,12 @@ +field onext: Ref +field down: Ref + +field inext: Ref + +predicate OuterNode(x: Ref) { + x != null ==> acc(x.onext) && acc(x.down) && OuterNode(x.onext) && InnerNode(x.down) +} + +predicate InnerNode(x: Ref) { + x != null ==> acc(x.inext) && InnerNode(x.inext) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/nested_sl/remove.vpr b/src/test/resources/biabduction/grasshopper/nested_sl/remove.vpr new file mode 100644 index 00000000..4648d5e5 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/nested_sl/remove.vpr @@ -0,0 +1,99 @@ +import "./nested_def.vpr" + +method remove(x: Ref) returns (res: Ref) +requires OuterNode(x) +ensures OuterNode(res) +{ + if(x != null) { + var nondet: Bool + var currO: Ref := x + + package OuterNode(currO) --* OuterNode(x) + unfold OuterNode(currO) + + while(nondet && currO.onext != null) + invariant acc(currO.onext) && acc(currO.down) && InnerNode(currO.down) + invariant OuterNode(currO.onext) + invariant OuterNode(currO) --* OuterNode(x) + { + nondet := havoc() + var currO_old: Ref := currO + currO := currO.onext + unfold OuterNode(currO) + + package OuterNode(currO) --* OuterNode(x) { + fold OuterNode(currO_old) + apply OuterNode(currO_old) --* OuterNode(x) + } + } + + nondet := havoc() + + var prev: Ref := currO + currO := currO.onext + + if(currO != null){ + unfold OuterNode(currO) + if(currO.down != null) { + var ic: Ref := currO.down + var currI: Ref := ic + package InnerNode(currI) --* InnerNode(ic) + unfold InnerNode(currI) + nondet := havoc() + + while(nondet && currI.inext != null) + invariant acc(currI.inext) + invariant InnerNode(currI.inext) + invariant InnerNode(currI) --* InnerNode(ic) + { + nondet := havoc() + + var currI_old: Ref := currI + currI := currI.inext + unfold InnerNode(currI) + package InnerNode(currI) --* InnerNode(ic){ + fold InnerNode(currI_old) + apply InnerNode(currI_old) --* InnerNode(ic) + } + } + + if(!nondet && currI.inext == null && currO.down == currI) { + currO.down := null + freeI(currI) + } else { + var iprev: Ref := currI + currI := currI.inext + + if(currI != null){ + unfold InnerNode(currI) + iprev.inext := currI.inext + freeI(currI) + currI := iprev + } + fold InnerNode(iprev) + apply InnerNode(iprev) --* InnerNode(ic) + } + + if(currO.down == null) { + prev.onext := currO.onext + freeO(currO) + currO := prev.onext + unfold OuterNode(currO) + } + + } + fold OuterNode(currO) + } + fold OuterNode(prev) + apply OuterNode(prev) --* OuterNode(x) + } + res := x +} + +method havoc() returns (res: Bool) + +method freeO(x: Ref) +requires acc(x.onext) && acc(x.down) + +method freeI(x: Ref) +requires acc(x.inext) \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/nested_sl/traverse.vpr b/src/test/resources/biabduction/grasshopper/nested_sl/traverse.vpr new file mode 100644 index 00000000..5af7640b --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/nested_sl/traverse.vpr @@ -0,0 +1,46 @@ +import "./nested_def.vpr" + +method traverse(x: Ref) +requires OuterNode(x) +ensures OuterNode(x) +{ + var currO: Ref := x + package OuterNode(currO) --* OuterNode(x) + + while(currO != null) + invariant OuterNode(currO) + invariant OuterNode(currO) --* OuterNode(x) + { + var currO_old: Ref := currO + + unfold OuterNode(currO) + var ic: Ref := currO.down + + var currI: Ref := ic + + package InnerNode(currI) --* InnerNode(ic) + + while(currI != null) + invariant InnerNode(currI) + invariant InnerNode(currI) --* InnerNode(ic) + { + var currI_old: Ref := currI + unfold InnerNode(currI) + currI := currI.inext + package InnerNode(currI) --* InnerNode(ic){ + fold InnerNode(currI_old) + apply InnerNode(currI_old) --* InnerNode(ic) + } + } + apply InnerNode(currI) --* InnerNode(ic) + + currO := currO.onext + + + package OuterNode(currO) --* OuterNode(x) { + fold OuterNode(currO_old) + apply OuterNode(currO_old) --* OuterNode(x) + } + } + apply OuterNode(currO) --* OuterNode(x) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl.vpr b/src/test/resources/biabduction/grasshopper/sl/sl.vpr new file mode 100644 index 00000000..3699ccf6 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl.vpr @@ -0,0 +1,6 @@ +field next: Ref +field data: Int + +predicate list(x: Ref) { + x != null ==> (acc(x.next) && acc(x.data) && list(x.next)) +} diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_concat.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_concat.vpr new file mode 100644 index 00000000..1ebf7fe3 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_concat.vpr @@ -0,0 +1,32 @@ +import "./sl.vpr" + +method concat(x: Ref, y: Ref) returns (res: Ref) +//requires list(x) +requires list(y) +//ensures list(res) +{ + if (x == null) { + x := y + } else { + var curr: Ref := x + //package list(curr) --* list(x) + //unfold list(curr) + while (curr.next != null) + //invariant acc(curr.next) && acc(curr.data) + //invariant list(curr.next) + //invariant list(curr) --* list(x) + { + var prev: Ref := curr + curr := curr.next + //unfold list(curr) + //package list(curr) --* list(x) { + // fold list(prev) + // apply list(prev) --* list(x) + //} + } + curr.next := y + //fold list(curr) + //apply list(curr) --* list(x) + res := x + } +} diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_copy.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_copy.vpr new file mode 100644 index 00000000..a3fd7966 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_copy.vpr @@ -0,0 +1,34 @@ +import "./sl.vpr" + +method copy(x: Ref) returns (res: Ref) +//requires list(x) +//ensures list(x) && list(res) +{ + var curr: Ref := x + var cp: Ref := null + //fold list(cp) + //package list(curr) --* list(x) + + while (curr != null) + //invariant list(curr) && list(cp) + //invariant list(curr) --* list(x) + { + var old_curr: Ref := curr + var old_cp: Ref := cp + + cp := new(*) + cp.next := old_cp + + //unfold list(curr) + curr := curr.next + + //fold list(cp) + //package list(curr) --* list(x) { + // fold list(old_curr) + // apply list(old_curr) --* list(x) + //} + } + + res := cp + //apply list(curr) --* list(x) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_dispose.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_dispose.vpr new file mode 100644 index 00000000..8c5e98cc --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_dispose.vpr @@ -0,0 +1,19 @@ +import "./sl.vpr" + +method dispose(lst: Ref) +requires list(lst) +{ + var curr: Ref := lst + + while(curr != null) + invariant list(curr) + { + var curr_old: Ref := curr + unfold list(curr) + curr := curr.next + free(curr_old) + } +} + +method free(x: Ref) +requires acc(x.next) \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_double_all.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_double_all.vpr new file mode 100644 index 00000000..35fe342a --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_double_all.vpr @@ -0,0 +1,29 @@ +import "./sl.vpr" + +method sls_double_all(lst: Ref) returns (res: Ref) +requires list(lst) +requires lst != null +ensures list(lst) +{ + var x: Ref := lst + //var bound: Int := unfolding list(x) in x.data + + package list(x) --* list(lst) + + while(x != null) + invariant list(x) + //invariant x != null ==> unfolding list(x) in bound <= x.data + invariant list(x) --* list(lst) + { + var x_old: Ref := x + //var old_bound: Int := bound + unfold list(x) + //bound := x.data + x := x.next + package list(x) --* list(lst) { + fold list(x_old) + apply list(x_old) --* list(lst) + } + } + apply list(x) --* list(lst) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_filter.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_filter.vpr new file mode 100644 index 00000000..c2b7a1aa --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_filter.vpr @@ -0,0 +1,46 @@ +import "./sl.vpr" + +method filter(x: Ref) returns (res: Ref) +requires list(x) +ensures list(x) +{ + if(x == null) { + res := null + } else { + unfold list(x) + var prev: Ref := x + var curr: Ref := x.next + + package list(prev) --* list(x) + + while(curr != null) + invariant list(prev) --* list(x) + invariant acc(prev.next) && acc(prev.data) + invariant prev.next == curr + invariant list(curr) + { + var old_curr: Ref := curr + var old_prev: Ref := prev + + unfold list(curr) + curr := curr.next + + var nondet: Bool + if(nondet) { + prev.next := curr; + } else { + prev := old_curr + } + + if(!nondet){ + package list(prev) --* list(x) { + fold list(old_prev) + apply list(old_prev) --* list(x) + } + } + } + fold list(curr) + fold list(prev) + apply list(prev) --* list(x) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_insert.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_insert.vpr new file mode 100644 index 00000000..a6730f06 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_insert.vpr @@ -0,0 +1,43 @@ +import "./sl.vpr" + +method insert(x: Ref, elt: Ref) returns (res: Ref) +requires list(x) && acc(elt.next) && acc(elt.data) +ensures list(res) +{ + if(x == null){ + elt.next := null + fold list(elt.next) + fold list(elt) + res := elt + } else { + var nondet: Bool + var curr: Ref := x + + package list(curr) --* list(x) + unfold list(curr) + + while(nondet && curr.next != null) + invariant acc(curr.next) && acc(curr.data) + invariant list(curr.next) + invariant list(curr) --* list(x) + { + var old_curr: Ref := curr + nondet := havoc() + curr := curr.next + unfold list(curr) + package list(curr) --* list(x) { + fold list(old_curr) + apply list(old_curr) --* list(x) + } + } + elt.next := curr.next + curr.next := elt + fold list(elt) + fold list(curr) + apply list(curr) --* list(x) + res := x + } +} + + +method havoc() returns (res: Bool) diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_pairwise_sum.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_pairwise_sum.vpr new file mode 100644 index 00000000..25ff0a7a --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_pairwise_sum.vpr @@ -0,0 +1,77 @@ +import "./sl.vpr" + +method pairwise_sum(x: Ref, y: Ref) returns (z: Ref) +requires list(x) && list(y) +ensures list(x) && list(y) && list(z) +{ + if(x == null || y == null){ + z := null + fold list(z) + } else { + z := new(*) + + + var curr_x: Ref := x + var curr_y: Ref := y + var curr_z: Ref := z + + package list(x) --* list(x) + package list(y) --* list(y) + package list(z) --* list(z) + + unfold list(x) + unfold list(y) + + //z.next := null + //fold list(z.next) + z.data := x.data + y.data + + while(curr_x.next != null && curr_y.next != null) + invariant acc(curr_x.next) && acc(curr_x.data) && list(curr_x.next) + invariant list(curr_x) --* list(x) + invariant acc(curr_y.next) && acc(curr_y.data) && list(curr_y.next) + invariant list(curr_y) --* list(y) + invariant acc(curr_z.next) && acc(curr_z.data) + invariant list(curr_z) --* list(z) + { + var prev_x: Ref := curr_x + var prev_y: Ref := curr_y + var prev_z: Ref := curr_z + + curr_x := curr_x.next + curr_y := curr_y.next + unfold list(curr_x) + unfold list(curr_y) + curr_z := new(*) + curr_z.next := null + curr_z.data := curr_x.data + curr_y.data + + prev_z.next := curr_z + + + package list(curr_x) --* list(x){ + fold list(prev_x) + apply list(prev_x) --* list(x) + } + + package list(curr_y) --* list(y){ + fold list(prev_y) + apply list(prev_y) --* list(y) + } + + package list(curr_z) --* list(z){ + fold list(prev_z) + apply list(prev_z) --* list(z) + } + } + + fold list(curr_x) + apply list(curr_x) --* list(x) + fold list(curr_y) + apply list(curr_y) --* list(y) + curr_z.next := null + fold list(curr_z.next) + fold list(curr_z) + apply list(curr_z) --* list(z) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_remove.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_remove.vpr new file mode 100644 index 00000000..3811aeb2 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_remove.vpr @@ -0,0 +1,41 @@ +import "./sl.vpr" + +method remove(x: Ref) returns (res: Ref) +requires list(x) +ensures list(res) +{ + if(x == null){ + res := null + } else { + var nondet: Bool + var curr: Ref := x + + package list(curr) --* list(x) + unfold list(curr) + + while(nondet && curr.next != null) + invariant acc(curr.next) && acc(curr.data) + invariant list(curr.next) + invariant list(curr) --* list(x) + { + var old_curr: Ref := curr + nondet := havoc() + curr := curr.next + unfold list(curr) + package list(curr) --* list(x) { + fold list(old_curr) + apply list(old_curr) --* list(x) + } + } + var tmp: Ref := curr.next + if(tmp != null) { + unfold list(tmp) + curr.next := tmp.next + } + fold list(curr) + apply list(curr) --* list(x) + res := x + } +} + +method havoc() returns (res: Bool) \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_reverse.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_reverse.vpr new file mode 100644 index 00000000..74e4a8b4 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_reverse.vpr @@ -0,0 +1,22 @@ +import "./sl.vpr" + +method reverse(x: Ref) returns (res: Ref) +requires list(x) +ensures list(res) +{ + res := null + fold list(res) + var curr: Ref := x + while(curr != null) + invariant list(curr) + invariant list(res) + { + var tmp: Ref := curr + unfold list(curr) + curr := curr.next + tmp.next := res + res := tmp + fold list(tmp) + } + +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_set_difference.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_set_difference.vpr new file mode 100644 index 00000000..f71a6c96 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_set_difference.vpr @@ -0,0 +1,155 @@ +import "sl.vpr" + +method difference(lst1: Ref, lst2: Ref) returns (res: Ref) +requires list(lst1) && list(lst2) +ensures list(res) && list(lst2) +{ + res := lst1 + if(lst1 != null && lst2 != null){ + + var curr_2: Ref := lst2 + package list(curr_2) --* list(lst2) + while(res != null && curr_2 != null && unfolding list(res) in unfolding list(curr_2) in res.data == curr_2.data) + invariant list(curr_2) && (list(curr_2) --* list(lst2)) + invariant list(res) + { + var prev_2: Ref := curr_2 + unfold list(curr_2) + unfold list(res) + res := res.next + curr_2 := curr_2.next + package list(curr_2) --* list(lst2){ + fold list(prev_2) + apply list(prev_2) --* list(lst2) + } + } + + if(res != null && curr_2 != null){ + + var prev_res: Ref := res + package list(prev_res) --* list(res) + unfold list(res) + var curr_res: Ref := res.next + + while(curr_res != null && curr_2 != null) + invariant list(curr_2) && (list(curr_2) --* list(lst2)) + invariant list(curr_res) + invariant acc(prev_res.data) && acc(prev_res.next) + invariant prev_res.next == curr_res + invariant list(prev_res) --* list(res) + { + var prev_2: Ref := curr_2 + var prev_res_old: Ref := prev_res + + unfold list(curr_2) + unfold list(curr_res) + + + if(curr_res.data < curr_2.data){ + curr_res := curr_res.next + prev_res := prev_res.next + fold list(curr_2) + package list(prev_res) --* list(res){ + fold list(prev_res_old) + apply list(prev_res_old) --* list(res) + } + } elseif(curr_res.data > curr_2.data){ + curr_2 := curr_2.next + package list(curr_2) --* list(lst2){ + fold list(prev_2) + apply list(prev_2) --* list(lst2) + } + fold list(curr_res) + } else { + prev_res.next := curr_res.next + curr_res := curr_res.next + fold list(curr_2) + } + } + fold list(prev_res) + apply list(prev_res) --* list(res) + } + apply list(curr_2) --* list(lst2) + } +} + +method difference1(lst1: Ref, lst2: Ref) returns (res: Ref) +requires list(lst1) && list(lst2) +ensures list(res) +{ + if(lst1 == null){ + res := lst2 + } elseif(lst2 == null) { + res := lst1 + } else { + var x: Ref := lst1 + var y: Ref := lst2 + while(x != null && y != null && unfolding list(x) in unfolding list(y) in x.data == y.data) + invariant list(x) && list(y) + { + unfold list(x) + unfold list(y) + x := x.next + y := y.next + } + + if(x == null){ + res := y + } elseif(y == null){ + res := x + } else { + unfold list(x) + unfold list(y) + if(x.data < y.data){ + res := x + x := x.next + res.next := null + fold list(y) + } else { + res := y + y := y.next + res.next := null + fold list(x) + } + var res_curr: Ref := res + package list(res_curr) --* list(res) + while(x != null && y != null) + invariant list(x) && list(y) + invariant list(res_curr) --* list(res) + invariant acc(res_curr.data) && acc(res_curr.next) + { + unfold list(x) + unfold list(y) + if(x.data == y.data){ + x := x.next + y := y.next + } else { + if(x.data < y.data){ + res_curr.next := x + x := x.next + fold list(y) + } else { + res_curr.next := y + y := y.next + fold list(x) + } + + var res_prev: Ref := res_curr + res_curr := res_curr.next + package list(res_curr) --* list(res){ + fold list(res_prev) + apply list(res_prev) --* list(res) + } + } + } + + if(x == null){ + res_curr.next := y + } else { + res_curr.next := x + } + fold list(res_curr) + apply list(res_curr) --* list(res) + } + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_set_intersect.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_set_intersect.vpr new file mode 100644 index 00000000..805dd39e --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_set_intersect.vpr @@ -0,0 +1,74 @@ +import "sl.vpr" + +method intersect(lst1: Ref, lst2: Ref) returns (res: Ref) +requires list(lst1) && list(lst2) +ensures list(res) && list(lst2) +{ + res := lst1 + if(lst1 != null && lst2 != null){ + + var curr_2: Ref := lst2 + package list(curr_2) --* list(lst2) + while(res != null && curr_2 != null && unfolding list(res) in unfolding list(curr_2) in res.data != curr_2.data) + invariant list(curr_2) && (list(curr_2) --* list(lst2)) + invariant list(res) + { + var prev_2: Ref := curr_2 + unfold list(curr_2) + unfold list(res) + res := res.next + curr_2 := curr_2.next + package list(curr_2) --* list(lst2){ + fold list(prev_2) + apply list(prev_2) --* list(lst2) + } + } + + if(res != null && curr_2 != null){ + + var prev_res: Ref := res + package list(prev_res) --* list(res) + unfold list(res) + var curr_res: Ref := res.next + + while(curr_res != null && curr_2 != null) + invariant list(curr_2) && (list(curr_2) --* list(lst2)) + invariant list(curr_res) + invariant acc(prev_res.data) && acc(prev_res.next) + invariant prev_res.next == curr_res + invariant list(prev_res) --* list(res) + { + var prev_2: Ref := curr_2 + var prev_res_old: Ref := prev_res + + unfold list(curr_2) + unfold list(curr_res) + + + if(curr_res.data < curr_2.data){ + prev_res.next := curr_res.next + curr_res := curr_res.next + fold list(curr_2) + } elseif(curr_res.data > curr_2.data){ + curr_2 := curr_2.next + package list(curr_2) --* list(lst2){ + fold list(prev_2) + apply list(prev_2) --* list(lst2) + } + fold list(curr_res) + } else { + curr_res := curr_res.next + prev_res := prev_res.next + fold list(curr_2) + package list(prev_res) --* list(res){ + fold list(prev_res_old) + apply list(prev_res_old) --* list(res) + } + } + } + fold list(prev_res) + apply list(prev_res) --* list(res) + } + apply list(curr_2) --* list(lst2) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_set_union.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_set_union.vpr new file mode 100644 index 00000000..732f32d4 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_set_union.vpr @@ -0,0 +1,58 @@ +import "sl.vpr" + +method set_union(lst1: Ref, lst2: Ref) returns (res: Ref) +requires list(lst1) && list(lst2) +ensures list(res) +{ + if(lst1 == null){ + res := lst2 + } else { + res := lst1 + var curr: Ref := res + package list(curr) --* list(res) + + unfold list(lst1) + var l1: Ref := lst1.next + var l2: Ref := lst2 + + while(l1 != null && l2 != null) + invariant list(l1) && list(l2) + invariant acc(curr.data) && acc(curr.next) + invariant list(curr) --* list(res) + { + unfold list(l1) + unfold list(l2) + if(l1.data == curr.data){ + l1 := l1.next + fold list(l2) + } elseif(l2.data == curr.data){ + l2 := l2.next + fold list(l1) + } else { + var prev: Ref := curr + if(l1.data < l2.data){ + curr.next := l1 + curr := l1 + l1 := l1.next + fold list(l2) + } else { + curr.next := l2 + curr := l2 + l2 := l2.next + fold list(l1) + } + package list(curr) --* list(res){ + fold list(prev) + apply list(prev) --* list(res) + } + } + } + if(l1 == null){ + curr.next := l2 + } else { + curr.next := l1 + } + fold list(curr) + apply list(curr) --* list(res) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_sort_insertion.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_sort_insertion.vpr new file mode 100644 index 00000000..9d802d3a --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_sort_insertion.vpr @@ -0,0 +1,34 @@ +import "./sl.vpr" + +method insert(x: Ref, elt: Ref) +requires list(x) && acc(elt.next) && acc(elt.data) +ensures list(x) + +method insertion_sort(lst: Ref) returns (res: Ref) +requires list(lst) +ensures list(lst) +{ + if(lst == null){ + res := lst + } else { + unfold list(lst) + var curr: Ref := lst.next + res := lst + res.next := null + fold list(res.next) + fold list(res) + + while(curr != null) + invariant list(curr) + invariant list(res) + { + var add: Ref := curr + unfold list(curr) + curr := curr.next + insert(res, add) + } + + } +} + + diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_sort_merge.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_sort_merge.vpr new file mode 100644 index 00000000..3a068360 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_sort_merge.vpr @@ -0,0 +1,130 @@ +import "./sl.vpr" + +function length(x: Ref): Int +requires list(x) +{ + x == null ? 0 : unfolding list(x) in 1 + length(x.next) +} + + +method merge(a: Ref, b: Ref) returns (res: Ref) +requires list(a) && list(b) +ensures list(res) +{ + res := null + if(a == null){ + res := b + } else { + if(b == null) { + res := a + } else { + var aIt: Ref := a + var bIt: Ref := b + if (unfolding list(a) in a.data <= unfolding list(b) in b.data) { + res := a + unfold list(a) + aIt := a.next + bIt := b + } else { + res := b + unfold list(b) + aIt := a + bIt := b.next + } + + var last: Ref := res + package list(last) --* list(res) + + while (aIt != null || bIt != null) + invariant list(aIt) && list(bIt) + invariant acc(last.next) && acc(last.data) + invariant last.next == aIt || last.next == bIt + invariant list(last) --* list(res) + { + var old_last: Ref := last + + unfold list(aIt) + unfold list(bIt) + if(aIt == null || bIt != null && aIt.data > bIt.data){ + last.next := bIt + last := bIt + bIt := bIt.next + fold list(aIt) + } else { + last.next := aIt + last := aIt + aIt := aIt.next + fold list(bIt) + } + package list(last) --* list(res){ + fold list(old_last) + apply list(old_last) --* list(res) + } + } + fold list(last) + apply list(last) --* list(res) + } + } +} + +method split(x: Ref) returns (y: Ref, z: Ref) +requires list(x) +ensures list(y) && list(z) +{ + var mid: Int + mid := length(x) / 2 + + var i: Int := 0 + + var curr: Ref := x + + package list(curr) --* list(x) + + while (i < mid && curr != null) + invariant list(curr) --* list(x) + invariant list(curr) + { + + var prev: Ref := curr + unfold list(curr) + curr := curr.next + + i := i + 1 + + package list(curr) --* list(x){ + fold list(prev) + apply list(prev) --* list(x) + } + } + + if(curr != null){ + var tmp: Ref := curr + unfold list(curr) + curr := curr.next + tmp.next := null + fold list(tmp.next) + fold list(tmp) + apply list(tmp) --* list(x) + + y := x + z := curr + } else { + y := x + apply list(curr) --* list(x) + z := null + fold list(z) + } +} + +method merge_sort(x: Ref) returns (res: Ref) +requires list(x) +ensures list(res) +{ + var x1: Ref, x2: Ref + var res1: Ref , res2: Ref + x1, x2 := split(x) + res1 := merge_sort(x1) + res2 := merge_sort(x2) + res := merge(res1, res2) + +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_sort_quicksort.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_sort_quicksort.vpr new file mode 100644 index 00000000..563ca576 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_sort_quicksort.vpr @@ -0,0 +1,116 @@ +import "sl.vpr" + +method split(x: Ref) returns (greq: Ref, pivot: Ref, less: Ref) +requires list(x) && x != null +ensures list(greq) && list(less) +ensures acc(pivot.data) && acc(pivot.next) +{ + unfold list(x) + pivot := x + greq := x.next + pivot.next := null + + less := null + fold list(less) + + if(greq != null && unfolding list(greq) in greq.next != null){ + + unfold list(greq) + + var prev: Ref := greq + package list(prev) --* list(greq) + var curr: Ref := greq.next + var pivot_val: Int := pivot.data + + while(curr != null && unfolding list(curr) in curr.data >= pivot_val) + invariant list(curr) + invariant acc(prev.data) && acc(prev.next) + invariant prev.next == curr + invariant list(prev) --* list(greq) + { + var prev_old: Ref := prev + unfold list(curr) + prev := curr + curr := curr.next + package list(prev) --* list(greq){ + fold list(prev_old) + apply list(prev_old) --* list(greq) + } + } + + if(curr != null){ + + unfold list(curr) + less := curr + var curr_less: Ref := curr + package list(curr_less) --* list(less) + + curr := curr.next + prev.next := curr + + while(curr != null) + invariant list(curr) + invariant acc(prev.data) && acc(prev.next) + invariant prev.next == curr + invariant list(prev) --* list(greq) + invariant acc(curr_less.data) && acc(curr_less.next) + invariant list(curr_less) --* list(less) + { + unfold list(curr) + if(curr.data < pivot_val){ + var prev_less: Ref := curr_less + curr_less.next := curr + curr_less := curr + package list(curr_less) --* list(less){ + fold list(prev_less) + apply list(prev_less) --* list(less) + } + + curr := curr.next + prev.next := curr + } else { + var prev_old: Ref := prev + prev := curr + curr := curr.next + package list(prev) --* list(greq){ + fold list(prev_old) + apply list(prev_old) --* list(greq) + } + + } + } + curr_less.next := null + fold list(curr_less.next) + fold list(curr_less) + apply list(curr_less) --* list(less) + } + + fold list(prev) + apply list(prev) --* list(greq) + } +} + + + +method concat(x: Ref, y: Ref) returns (res: Ref) +requires list(x) && list(y) +ensures list(res) + +method quicksort(x: Ref) returns (res: Ref) +requires list(x) +ensures list(res) +{ + if(x == null){ + res := x + } else { + var g: Ref + var p: Ref + var l: Ref + g, p, l := split(x) + g := quicksort(g) + l := quicksort(l) + p.next := l + fold list(p) + res := concat(g, p) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_sort_strand.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_sort_strand.vpr new file mode 100644 index 00000000..f6472a7f --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_sort_strand.vpr @@ -0,0 +1,120 @@ +import "sl.vpr" + +method merge(a: Ref, b: Ref) returns (res: Ref) +requires list(a) && list(b) +ensures list(res) + +method pull_strands(lst: Ref) returns (sorted: Ref, rest: Ref) +requires list(lst) && lst != null +ensures list(sorted) +ensures list(rest) +{ + + var prev: Ref + + unfold list(lst) + var curr: Ref := lst.next + + sorted := lst + sorted.next := null + var curr_sorted: Ref := sorted + + package list(sorted) --* list(sorted) + + + while(curr != null && unfolding list(curr) in curr.data >= curr_sorted.data) + invariant list(curr) + invariant acc(curr_sorted.next) && acc(curr_sorted.data) + invariant list(curr_sorted) --* list(sorted) + { + prev := curr + unfold list(curr) + curr := curr.next + + var prev_sorted: Ref := curr_sorted + prev.next := null + curr_sorted.next := prev + curr_sorted := prev + package list(curr_sorted) --* list(sorted){ + fold list(prev_sorted) + apply list(prev_sorted) --* list(sorted) + } + } + + rest := curr + + if(rest != null){ + + prev := rest + package list(prev) --* list(rest) + unfold list(prev) + curr := curr.next + + while(curr != null) + invariant list(prev) --* list(rest) + invariant acc(prev.next) && acc(prev.data) + invariant prev.next == curr + invariant list(curr) + invariant acc(curr_sorted.next) && acc(curr_sorted.data) + invariant list(curr_sorted) --* list(sorted) + { + unfold list(curr) + + if(curr.data >= curr_sorted.data){ + var old_prev: Ref := prev + var old_curr: Ref := curr + var old_curr_sorted: Ref := curr_sorted + + curr := curr.next + curr_sorted.next := old_curr + curr_sorted := old_curr + old_curr.next := null + prev.next := curr + assert acc(prev.next) + + package list(curr_sorted) --* list(sorted){ + fold list(old_curr_sorted) + apply list(old_curr_sorted) --* list(sorted) + } + } else { + var prev_prev: Ref := prev + prev := curr + curr := curr.next + package list(prev) --* list(rest){ + fold list(prev_prev) + apply list(prev_prev) --* list(rest) + } + } + } + + fold list(prev) + apply list(prev) --* list(rest) + + + } + + if(rest == null){ + fold list(rest) + } + + curr_sorted.next := null + fold list(curr_sorted.next) + fold list(curr_sorted) + apply list(curr_sorted) --* list(sorted) +} + +method strand_sort(x: Ref) returns (res: Ref) +requires list(x) +ensures list(res) +{ + res := null + fold list(res) + var lst: Ref := x + while(lst != null) + invariant list(lst) && list(res) + { + var new_sorted: Ref + new_sorted, lst := pull_strands(lst) + res := merge(res, new_sorted) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/sl/sl_traverse.vpr b/src/test/resources/biabduction/grasshopper/sl/sl_traverse.vpr new file mode 100644 index 00000000..46b5d53c --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/sl/sl_traverse.vpr @@ -0,0 +1,51 @@ +import "./sl.vpr" + +method traverse1(x: Ref) +requires list(x) +ensures list(x) +{ + var curr: Ref := x + package list(curr) --* list(x) + + while (curr != null) + invariant list(curr) + invariant list(curr) --* list(x) + { + var old_curr: Ref := curr + unfold list(curr) + curr := curr.next + package list(curr) --* list(x) { + fold list(old_curr) + apply list(old_curr) --* list(x) + } + } + apply list(curr) --* list(x) +} + +method traverse2(x: Ref) +requires list(x) +ensures list(x) +{ + if(x != null){ + var curr: Ref := x + package list(curr) --* list(x) + unfold list(curr) + + while (curr.next != null) + invariant acc(curr.next) && acc(curr.data) + invariant list(curr.next) + invariant list(curr) --* list(x) + { + var old_curr: Ref := curr + curr := curr.next + unfold list(curr) + package list(curr) --* list(x) { + fold list(old_curr) + apply list(old_curr) --* list(x) + } + } + fold list(curr) + apply list(curr) --* list(x) + + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/list2tree.vpr b/src/test/resources/biabduction/grasshopper/tree/list2tree.vpr new file mode 100644 index 00000000..50d3b32b --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/list2tree.vpr @@ -0,0 +1,26 @@ +import "tree.vpr" +import "../sl/sl.vpr" + +method insert(root: Ref, value: Int) returns (res: Ref) +requires tree(root) +ensures tree(res) + +method list2tree(lst: Ref) returns (res: Ref) +requires list(lst) +ensures tree(res) +{ + + res := null + fold tree(res) + var curr: Ref := lst + + while(curr != null) + invariant list(curr) + invariant tree(res) + { + var curr_old: Ref := curr + unfold list(curr) + curr := curr.next + res := insert(res, curr_old.data) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/skew_heap.spl b/src/test/resources/biabduction/grasshopper/tree/skew_heap.spl new file mode 100644 index 00000000..bff81e8b --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/skew_heap.spl @@ -0,0 +1,79 @@ +struct Node { + var left: Node; + var right: Node; + var data: Int; +} + +predicate skew_heap(x: Node, content: bag) { + x == null &*& + content == bag() + || + x != null &*& + acc(x) &*& + skew_heap(x.left, l_content) &*& + skew_heap(x.right, r_content) &*& + content == l_content ++ r_content ++ bag(x.data) &*& + (x.left == null || x.left.data >= x.data) &*& + (x.right == null || x.right.data >= x.data) +} + +//from http://en.wikipedia.org/wiki/Skew_heap + +// union :: Ord a => SkewHeap a -> SkewHeap a -> SkewHeap a +// Empty `union` t2 = t2 +// t1 `union` Empty = t1 +// t1@(Node x1 l1 r1) `union` t2@(Node x2 l2 r2) +// | x1 <= x2 = Node x1 (t2 `union` r1) l1 +// | otherwise = Node x2 (t1 `union` r2) l2 +procedure union(h1: Node, h2: Node, implicit ghost content1: bag, implicit ghost content2: bag) returns (res: Node) + requires skew_heap(h1, content1) &*& skew_heap(h2, content2); + ensures skew_heap(res, content1 ++ content2); +{ + if (h1 == null) { + return h2; + } else if (h2 == null) { + return h1; + } else if (h1.data <= h2.data) { + var u : Node; + u := union(h2, h1.right); + h1.right := h1.left; + h1.left := u; + return h1; + } else { + var u : Node; + u := union(h1, h2.right); + h2.right := h2.left; + h2.left := u; + return h2; + } +} + +// insert :: Ord a => a -> SkewHeap a -> SkewHeap a +// insert x heap = singleton x `union` heap +procedure insert(h: Node, value: Int, implicit ghost content: bag) returns (res: Node) + requires skew_heap(h, content); + ensures skew_heap(res, content ++ bag(value)); +{ + var n: Node; + n := new Node; + n.left := null; + n.right := null; + n.data := value; + returns union(h, n); +} + +// extractMin :: Ord a => SkewHeap a -> Maybe (a, SkewHeap a) +// extractMin Empty = Nothing +// extractMin (Node x l r) = Just (x, l `union` r) +procedure extractMin(h: Node, implicit ghost content: bag) returns (min: Int, rest: Node) + requires skew_heap(h, content) &*& h != null; + ensures skew_heap(rest, content -- bag(min)); + ensures forall n in content :: n >= min; +{ + var d : Int; + d := h.data; + var hp: Node; + hp := union(h.left, h.right); + free h; + return d, hp; +} diff --git a/src/test/resources/biabduction/grasshopper/tree/skew_heap_no_content.spl b/src/test/resources/biabduction/grasshopper/tree/skew_heap_no_content.spl new file mode 100644 index 00000000..922e902f --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/skew_heap_no_content.spl @@ -0,0 +1,57 @@ +include "../include/bstree.spl"; + +procedure union(h1: Node, h2: Node) + returns (res: Node) + requires heap(h1) &*& heap(h2) + ensures heap(res) +{ + if (h1 == null) { + return h2; + } else if (h2 == null) { + return h1; + } else if (h1.data >= h2.data) { + var u: Node, r: Node; + r := h1.right; + h1.right := h1.left; + if (r != null) { r.parent := null; } + u := union(h2, r); + h1.left := u; + if (u != null) { u.parent := h1; } + return h1; + } else { + return union(h2, h1); + } +} + +procedure extractMax(h: Node) + returns (max: Int, rest: Node) + requires heap(h) &*& h != null + ensures heap(rest) +{ + var d : Int; + d := h.data; + var hp: Node, r: Node, l: Node; + l := h.left; + r := h.right; + h.parent := null; + free h; + if (l != null) { l.parent := null; } + if (r != null) { r.parent := null; } + hp := union(l, r); + if (hp != null) { hp.parent := null; } + return d, hp; +} + +procedure insert(h: Node, value: Int) + returns (res: Node) + requires heap(h) + ensures heap(res) +{ + var n: Node; + n := new Node; + n.left := null; + n.right := null; + n.parent := null; + n.data := value; + return union(h, n); +} diff --git a/src/test/resources/biabduction/grasshopper/tree/tree.vpr b/src/test/resources/biabduction/grasshopper/tree/tree.vpr new file mode 100644 index 00000000..7706c2c2 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree.vpr @@ -0,0 +1,14 @@ +field left: Ref +field right: Ref +field val: Int + +field tNext: Ref +field elem: Ref + +predicate tree(x: Ref){ + x != null ==> acc(x.left) && acc(x.right) && acc(x.val) && tree(x.left) && tree(x.right) +} + +predicate tList(x: Ref){ + x != null ==> acc(x.tNext) && acc(x.elem) && tList(x.tNext) && tree(x.elem) +} diff --git a/src/test/resources/biabduction/grasshopper/tree/tree2list.vpr b/src/test/resources/biabduction/grasshopper/tree/tree2list.vpr new file mode 100644 index 00000000..21ec609f --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree2list.vpr @@ -0,0 +1,52 @@ +import "tree.vpr" +import "../sl/sl.vpr" + +method insert(x: Ref, newVal: Int) returns (res: Ref) +requires list(x) +ensures list(res) + +method tree2list(root: Ref) returns (res: Ref) +requires tree(root) +ensures list(res) +{ + res := null + fold list(res) + + if(root != null){ + + var remaining: Ref := new(*) + remaining.tNext := null + remaining.elem := root + fold tList(remaining.tNext) + fold tList(remaining) + + while(remaining != null) + invariant tList(remaining) + invariant list(res) + { + unfold tList(remaining) + var current: Ref := remaining.elem + if(current != null){ + + unfold tree(current) + + var lNode: Ref := new(*) + var rNode: Ref := new(*) + lNode.elem := current.left + rNode.elem := current.right + + rNode.tNext := remaining.tNext + lNode.tNext := rNode + remaining.tNext := lNode + + + res := insert(res, current.val) + + + fold tList(rNode) + fold tList(lNode) + } + remaining := remaining.tNext + } + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_contains.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_contains.vpr new file mode 100644 index 00000000..36080bda --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_contains.vpr @@ -0,0 +1,43 @@ +import "./tree.vpr" + +method contains(root: Ref, value: Int) returns (res: Bool) +requires tree(root) +ensures tree(root) +{ + if(root == null){ + res := false + } else { + + var curr: Ref := root + package tree(curr) --* tree(root) + unfold tree(curr) + + while(curr != null && curr.val != value) + invariant tree(curr) --* tree(root) + invariant curr != null ==> (acc(curr.left) && acc(curr.right) && acc(curr.val)) + invariant curr != null ==> (tree(curr.left) && tree(curr.right)) + { + + var prev: Ref := curr + if(curr.val > value){ + curr := curr.left + } else { + curr := curr.right + } + + unfold tree(curr) + package tree(curr) --* tree(root){ + fold tree(prev) + apply tree(prev) --* tree(root) + } + } + + if(curr != null){ + res := true + } else { + res := false + } + fold tree(curr) + apply tree(curr) --* tree(root) + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_destroy.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_destroy.vpr new file mode 100644 index 00000000..ac9e42f8 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_destroy.vpr @@ -0,0 +1,42 @@ +import "./tree.vpr" + +method destroy(root: Ref) +requires tree(root) +{ + if(root != null){ + var remaining: Ref := new(*) + remaining.tNext := null + remaining.elem := root + fold tList(remaining.tNext) + fold tList(remaining) + + while(remaining != null) + invariant tList(remaining) + { + unfold tList(remaining) + var current: Ref := remaining.elem + if(current != null){ + + unfold tree(current) + + var lNode: Ref := new(*) + var rNode: Ref := new(*) + lNode.elem := current.left + rNode.elem := current.right + + rNode.tNext := remaining.tNext + lNode.tNext := rNode + remaining.tNext := lNode + + free(current) + + fold tList(rNode) + fold tList(lNode) + } + remaining := remaining.tNext + } + } +} + +method free(root: Ref) +requires acc(root.left) && acc(root.right) \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_extract_max.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_extract_max.vpr new file mode 100644 index 00000000..dd42a5d4 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_extract_max.vpr @@ -0,0 +1,53 @@ +import "./tree.vpr" + +method extract_max(root: Ref) returns (rest: Ref, max: Ref) +requires tree(root) && root != null +ensures tree(rest) +ensures tree(max) && max != null +{ + + unfold tree(root) + var curr: Ref := root.right + if(curr == null){ + rest := root.left + max := root + root.left := null + fold tree(max.left) + fold tree(max) + } else { + var prev: Ref := root + package tree(prev) --* tree(root) + + unfold tree(curr) + + while(curr.right != null) + invariant acc(prev.left) && acc(prev.right) && acc(prev.val) + invariant tree(prev.left) + invariant acc(curr.left) && acc(curr.right) && acc(curr.val) + invariant tree(curr.left) && tree(curr.right) + invariant tree(prev) --* tree(root) + invariant prev.right == curr + { + var prev_old: Ref := prev + prev := curr + curr := curr.right + unfold tree(curr) + package tree(prev) --* tree(root){ + fold tree(prev_old) + apply tree(prev_old) --* tree(root) + } + } + + prev.right := curr.left + fold tree(prev) + apply tree(prev) --* tree(root) + rest := root + + curr.left := null + max := curr + fold tree(curr.left) + fold tree(curr) + } + + assert tree(max) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_insert.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_insert.vpr new file mode 100644 index 00000000..d7315a02 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_insert.vpr @@ -0,0 +1,57 @@ +import "./tree.vpr" + +method insert(root: Ref, value: Int) returns (res: Ref) +requires tree(root) +ensures tree(res) +{ + if(root == null){ + res := new(*) + res.left := null + res.right := null + res.val := value + fold tree(res.left) + fold tree(res.right) + fold tree(res) + } else { + + var curr: Ref := root + package tree(curr) --* tree(root) + unfold tree(curr) + + while(curr != null && curr.val != value) + invariant acc(curr.left) && acc(curr.right) && acc(curr.val) + invariant tree(curr.left) && tree(curr.right) + invariant tree(curr) --* tree(root) + { + var prev: Ref := curr + if(curr.val < value){ + curr := curr.right + } else { + curr := curr.left + } + if(curr == null){ + var t: Ref := new(*) + t.left := null + t.right := null + t.val := value + fold tree(t.left) + fold tree(t.right) + fold tree(t) + if(prev.val < value){ + prev.right := t + } else { + prev.left := t + } + curr := t + } + unfold tree(curr) + package tree(curr) --* tree(root){ + fold tree(prev) + apply tree(prev) --* tree(root) + } + } + fold tree(curr) + apply tree(curr) --* tree(root) + res := root + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_merge.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_merge.vpr new file mode 100644 index 00000000..8faf10ad --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_merge.vpr @@ -0,0 +1,23 @@ +import "./tree.vpr" + +method merge(leftT: Ref, rightT: Ref) returns (res: Ref) +requires tree(leftT) && tree(rightT) +ensures tree(res) +{ + if(leftT == null){ + res := rightT + } else { + if(rightT == null){ + res := leftT + } else { + var left_new: Ref + var root: Ref + left_new, root := extract_max(leftT) + unfold tree(root) + root.left := left_new + root.right := rightT + fold tree(root) + res := root + } + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_remove.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_remove.vpr new file mode 100644 index 00000000..017e7585 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_remove.vpr @@ -0,0 +1,89 @@ +import "./tree.vpr" + +method remove(root: Ref, value: Int) returns (res: Ref) +requires tree(root) +{ + if(root == null){ + res := root + } else { + + var curr: Ref := root + package tree(curr) --* tree(root) + unfold tree(root) + + if(root.val == value){ + res := merge(root.left, root.right) + free(root) + } else { + + var found: Bool := false + + while(curr != null && !found) + invariant acc(curr.left) && acc(curr.right) && acc(curr.val) + invariant tree(curr.left) && tree(curr.right) + invariant tree(curr) --* tree(root) + { + unfold tree(curr.left) + unfold tree(curr.right) + + // We found it to the left + if(curr.left != null && curr.left.val == value){ + found := true + var left_old: Ref := curr.left + var left_new: Ref + left_new := merge(curr.left.left, curr.left.right) + curr.left := left_new + free(left_old) + fold tree(curr.right) + + } else { + + // We found it to the right + if(curr.right != null && curr.right.val == value){ + var right_old: Ref := curr.right + var right_new: Ref + right_new := merge(curr.right.left, curr.right.right) + curr.right := right_new + free(right_old) + fold tree(curr.left) + } else { + + // We progress along the tree + var curr_old: Ref := curr + if(curr.val < value){ + if(curr.right == null){ + found := true + fold tree(curr.left) + fold tree(curr.right) + } else { + fold tree(curr.left) + curr := curr.right + package tree(curr) --* tree(root){ + fold tree(curr_old) + apply tree(curr_old) --* tree(root) + } + } + } else { + if(curr.left == null){ + found := true + fold tree(curr.left) + fold tree(curr.right) + } else { + fold tree(curr.right) + curr := curr.left + package tree(curr) --* tree(root){ + fold tree(curr_old) + apply tree(curr_old) --* tree(root) + } + } + } + } + } + } + + fold tree(curr) + apply tree(curr) --* tree(root) + res := root + } + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_rotate_left.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_rotate_left.vpr new file mode 100644 index 00000000..e09126c3 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_rotate_left.vpr @@ -0,0 +1,17 @@ +import "./tree.vpr" + +method rotate_left(root: Ref) returns (res: Ref) +requires tree(root) && root != null +requires unfolding tree(root) in root.right != null +ensures tree(res) +{ + unfold tree(root) + res := root.right + unfold tree(res) + + root.right := res.left + res.left := root + + fold tree(root) + fold tree(res) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_rotate_right.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_rotate_right.vpr new file mode 100644 index 00000000..39cd366c --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_rotate_right.vpr @@ -0,0 +1,19 @@ +import "./tree.vpr" + +method rotate_right(root: Ref) returns (res: Ref) +requires tree(root) && root != null +requires unfolding tree(root) in root.left != null +ensures tree(res) +{ + unfold tree(root) + res := root.left + unfold tree(res) + + root.left := res.right + res.right := root + + fold tree(root) + fold tree(res) +} + +method traverse(root: Ref) \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_singleton.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_singleton.vpr new file mode 100644 index 00000000..acc6a627 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_singleton.vpr @@ -0,0 +1,13 @@ +import "./tree.vpr" + +method singleton(value: Int) returns (root: Ref) +ensures tree(root) +{ + root := new(*) + root.left := null + root.right := null + root.val := value + fold tree(root.left) + fold tree(root.right) + fold tree(root) +} \ No newline at end of file diff --git a/src/test/resources/biabduction/grasshopper/tree/tree_skew_union.vpr b/src/test/resources/biabduction/grasshopper/tree/tree_skew_union.vpr new file mode 100644 index 00000000..c7733357 --- /dev/null +++ b/src/test/resources/biabduction/grasshopper/tree/tree_skew_union.vpr @@ -0,0 +1,60 @@ +import "./tree.vpr" + +method skew_union(t1: Ref, t2: Ref) returns (root1: Ref) +requires tree(t1) && tree(t2) +ensures tree(root1) +{ + if(t1 == null){ + root1 := t2 + } elseif (t2 == null){ + root1 := t1 + } else { + + root1 := t1 + var root2: Ref := t2 + + var curr_root1: Ref := root1 + var curr_root2: Ref := root2 + package tree(curr_root1) && tree(curr_root2) --* tree(root1) && tree(root2) + + while(curr_root2!= null && curr_root1 != null) + invariant tree(curr_root1) && tree(curr_root2) + invariant tree(curr_root1) && tree(curr_root2) --* tree(root1) && tree(root2) + { + var prev1: Ref := curr_root1 + var prev2: Ref := curr_root2 + + unfold tree(curr_root1) + unfold tree(curr_root2) + + + if(curr_root2.val >= curr_root1.val){ + var tmp: Ref := curr_root1.right + curr_root1.right := curr_root1.left + curr_root1.left := null + fold tree(curr_root1.left) + curr_root1 := tmp + + package tree(curr_root1) && tree(curr_root2) --* tree(root1) && tree(root2){ + fold tree(prev1) + apply tree(prev1) && tree(curr_root2) --* tree(root1) && tree(root2) + } + fold tree(curr_root2) + } else { + assume false + } + + + + + //var swap: Bool := curr_root2.val < curr_root1.val + + + + + + + + } + } +} \ No newline at end of file diff --git a/src/test/resources/biabduction/nlist/alias.vpr b/src/test/resources/biabduction/mytests/nlist/alias.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/alias.vpr rename to src/test/resources/biabduction/mytests/nlist/alias.vpr diff --git a/src/test/resources/biabduction/nlist/apply.vpr b/src/test/resources/biabduction/mytests/nlist/apply.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/apply.vpr rename to src/test/resources/biabduction/mytests/nlist/apply.vpr diff --git a/src/test/resources/biabduction/nlist/branching.vpr b/src/test/resources/biabduction/mytests/nlist/branching.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/branching.vpr rename to src/test/resources/biabduction/mytests/nlist/branching.vpr diff --git a/src/test/resources/biabduction/nlist/bug.vpr b/src/test/resources/biabduction/mytests/nlist/bug.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/bug.vpr rename to src/test/resources/biabduction/mytests/nlist/bug.vpr diff --git a/src/test/resources/biabduction/nlist/build.vpr b/src/test/resources/biabduction/mytests/nlist/build.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/build.vpr rename to src/test/resources/biabduction/mytests/nlist/build.vpr diff --git a/src/test/resources/biabduction/nlist/fold.vpr b/src/test/resources/biabduction/mytests/nlist/fold.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/fold.vpr rename to src/test/resources/biabduction/mytests/nlist/fold.vpr diff --git a/src/test/resources/biabduction/nlist/foldbase.vpr b/src/test/resources/biabduction/mytests/nlist/foldbase.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/foldbase.vpr rename to src/test/resources/biabduction/mytests/nlist/foldbase.vpr diff --git a/src/test/resources/biabduction/nlist/hidden.vpr b/src/test/resources/biabduction/mytests/nlist/hidden.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/hidden.vpr rename to src/test/resources/biabduction/mytests/nlist/hidden.vpr diff --git a/src/test/resources/biabduction/nlist/lookahead.vpr b/src/test/resources/biabduction/mytests/nlist/lookahead.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/lookahead.vpr rename to src/test/resources/biabduction/mytests/nlist/lookahead.vpr diff --git a/src/test/resources/biabduction/nlist/loop.vpr b/src/test/resources/biabduction/mytests/nlist/loop.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/loop.vpr rename to src/test/resources/biabduction/mytests/nlist/loop.vpr diff --git a/src/test/resources/biabduction/nlist/methodcall.vpr b/src/test/resources/biabduction/mytests/nlist/methodcall.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/methodcall.vpr rename to src/test/resources/biabduction/mytests/nlist/methodcall.vpr diff --git a/src/test/resources/biabduction/nlist/nlist.vpr b/src/test/resources/biabduction/mytests/nlist/nlist.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/nlist.vpr rename to src/test/resources/biabduction/mytests/nlist/nlist.vpr diff --git a/src/test/resources/biabduction/nlist/package.vpr b/src/test/resources/biabduction/mytests/nlist/package.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/package.vpr rename to src/test/resources/biabduction/mytests/nlist/package.vpr diff --git a/src/test/resources/biabduction/nlist/postabstraction.vpr b/src/test/resources/biabduction/mytests/nlist/postabstraction.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/postabstraction.vpr rename to src/test/resources/biabduction/mytests/nlist/postabstraction.vpr diff --git a/src/test/resources/biabduction/nlist/reassign.vpr b/src/test/resources/biabduction/mytests/nlist/reassign.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/reassign.vpr rename to src/test/resources/biabduction/mytests/nlist/reassign.vpr diff --git a/src/test/resources/biabduction/nlist/remove.vpr b/src/test/resources/biabduction/mytests/nlist/remove.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/remove.vpr rename to src/test/resources/biabduction/mytests/nlist/remove.vpr diff --git a/src/test/resources/biabduction/nlist/strict.vpr b/src/test/resources/biabduction/mytests/nlist/strict.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/strict.vpr rename to src/test/resources/biabduction/mytests/nlist/strict.vpr diff --git a/src/test/resources/biabduction/nlist/unfeas.vpr b/src/test/resources/biabduction/mytests/nlist/unfeas.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/unfeas.vpr rename to src/test/resources/biabduction/mytests/nlist/unfeas.vpr diff --git a/src/test/resources/biabduction/nlist/unfold.vpr b/src/test/resources/biabduction/mytests/nlist/unfold.vpr similarity index 100% rename from src/test/resources/biabduction/nlist/unfold.vpr rename to src/test/resources/biabduction/mytests/nlist/unfold.vpr diff --git a/src/test/resources/biabduction/nnlist/fold.vpr b/src/test/resources/biabduction/mytests/nnlist/fold.vpr similarity index 100% rename from src/test/resources/biabduction/nnlist/fold.vpr rename to src/test/resources/biabduction/mytests/nnlist/fold.vpr diff --git a/src/test/resources/biabduction/nnlist/loop.vpr b/src/test/resources/biabduction/mytests/nnlist/loop.vpr similarity index 100% rename from src/test/resources/biabduction/nnlist/loop.vpr rename to src/test/resources/biabduction/mytests/nnlist/loop.vpr diff --git a/src/test/resources/biabduction/nnlist/nnlist.vpr b/src/test/resources/biabduction/mytests/nnlist/nnlist.vpr similarity index 100% rename from src/test/resources/biabduction/nnlist/nnlist.vpr rename to src/test/resources/biabduction/mytests/nnlist/nnlist.vpr diff --git a/src/test/resources/biabduction/ntree/foldtree.vpr b/src/test/resources/biabduction/mytests/ntree/foldtree.vpr similarity index 100% rename from src/test/resources/biabduction/ntree/foldtree.vpr rename to src/test/resources/biabduction/mytests/ntree/foldtree.vpr diff --git a/src/test/resources/biabduction/ntree/looptree.vpr b/src/test/resources/biabduction/mytests/ntree/looptree.vpr similarity index 100% rename from src/test/resources/biabduction/ntree/looptree.vpr rename to src/test/resources/biabduction/mytests/ntree/looptree.vpr diff --git a/src/test/resources/biabduction/ntree/unfold.vpr b/src/test/resources/biabduction/mytests/ntree/unfold.vpr similarity index 100% rename from src/test/resources/biabduction/ntree/unfold.vpr rename to src/test/resources/biabduction/mytests/ntree/unfold.vpr diff --git a/src/test/resources/biabduction/slist.vpr b/src/test/resources/biabduction/slist.vpr deleted file mode 100644 index e913609a..00000000 --- a/src/test/resources/biabduction/slist.vpr +++ /dev/null @@ -1,34 +0,0 @@ -field next: Ref -field data: Int - -predicate sllist(x: Ref) { - x != null ==> acc(x.next) && acc(x.data) && sllist(x.next) && (x.next != null ==> unfolding sllist(x.next) in x.data <= x.next.data) -} - -method sls_double_all(lst: Ref) returns (res: Ref) -requires sllist(lst) -requires lst != null -ensures sllist(lst) -{ - var x: Ref := lst - var bound: Int := unfolding sllist(x) in x.data - - package (sllist(x) && (x != null ==> unfolding sllist(x) in bound <= x.data)) --* sllist(lst) - - while(x != null) - invariant sllist(x) - invariant x != null ==> unfolding sllist(x) in bound <= x.data - invariant (sllist(x) && (x != null ==> unfolding sllist(x) in bound <= x.data)) --* sllist(lst) - { - var x_old: Ref := x - var old_bound: Int := bound - unfold sllist(x) - bound := x.data - x := x.next - package (sllist(x) && (x != null ==> unfolding sllist(x) in bound <= x.data)) --* sllist(lst) { - fold sllist(x_old) - apply (sllist(x_old) && (x_old != null ==> unfolding sllist(x_old) in old_bound <= x_old.data)) --* sllist(lst) - } - } - apply (sllist(x) && (x != null ==> unfolding sllist(x) in bound <= x.data)) --* sllist(lst) -} \ No newline at end of file diff --git a/src/test/resources/biabduction/vipertests/basic/assert.vpr b/src/test/resources/biabduction/vipertests/basic/assert.vpr new file mode 100644 index 00000000..f5aedd4a --- /dev/null +++ b/src/test/resources/biabduction/vipertests/basic/assert.vpr @@ -0,0 +1,13 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + +field test: Bool + +method t1(b: Bool, d: Int, r: Ref) returns () + //requires acc(r.test, write) + //ensures acc(r.test, write) +{ + r.test := b + assert b == (r.test) +} diff --git a/src/test/resources/biabduction/vipertests/basic/disjunction_fast_20.vpr b/src/test/resources/biabduction/vipertests/basic/disjunction_fast_20.vpr new file mode 100644 index 00000000..e13c8987 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/basic/disjunction_fast_20.vpr @@ -0,0 +1,215 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* + * The performance of silicon used to depend on the disjunction order in the following predicate + * Compare disjunction_slow_20.vpr + */ + +field val: Int + +predicate Slow(this: Ref) { + acc(this.val) && + (this.val == 0 || (this.val == 1 || (this.val == 2 || (this.val == 3 || (this.val == 4 || (this.val == 5 || (this.val == 6 || (this.val == 7 || (this.val == 8 || (this.val == 9 || (this.val == 10 || (this.val == 11 || (this.val == 12 || (this.val == 13 || (this.val == 14 || (this.val == 15 || (this.val == 16 || (this.val == 17 || (this.val == 18 || (this.val == 19 || true)))))))))))))))))))) +} + +method havoc() returns (res:Int) + +method test(this: Ref) + requires Slow(this) + ensures Slow(this) +{ + unfold Slow(this) + var tmp: Int + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + +} + + + diff --git a/src/test/resources/biabduction/vipertests/basic/disjunction_slow_20.vpr b/src/test/resources/biabduction/vipertests/basic/disjunction_slow_20.vpr new file mode 100644 index 00000000..5586bf8f --- /dev/null +++ b/src/test/resources/biabduction/vipertests/basic/disjunction_slow_20.vpr @@ -0,0 +1,215 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* + * The performance of silicon used to depend on the disjunction order in the following predicate + * Compare disjunction_fast_20.vpr + */ + +field val: Int + +predicate Slow(this: Ref) { + acc(this.val) && + ((((((((((((((((((((this.val == 0 || this.val == 1) || this.val == 2) || this.val == 3) || this.val == 4) || this.val == 5) || this.val == 6) || this.val == 7) || this.val == 8) || this.val == 9) || this.val == 10) || this.val == 11) || this.val == 12) || this.val == 13) || this.val == 14) || this.val == 15) || this.val == 16) || this.val == 17) || this.val == 18) || this.val == 19) || true) +} + +method havoc() returns (res:Int) + +method test(this: Ref) + requires Slow(this) + ensures Slow(this) +{ + unfold Slow(this) + var tmp: Int + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + unfold Slow(this) + tmp := havoc() + this.val := tmp + fold Slow(this) + +} + + + diff --git a/src/test/resources/biabduction/vipertests/basic/funcpred.vpr b/src/test/resources/biabduction/vipertests/basic/funcpred.vpr new file mode 100644 index 00000000..551b992f --- /dev/null +++ b/src/test/resources/biabduction/vipertests/basic/funcpred.vpr @@ -0,0 +1,35 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + +field value: Int +field next: Ref +field f: Int + +function itemat(node: Ref, i: Int): Int + requires acc(valid(node), wildcard) && i >= 0 +{ + unfolding acc(valid(node), wildcard) in ((i == 0 || node.next == null) ? node.value : itemat(node.next, i-1)) +} + +predicate valid(this: Ref) { + acc(this.next, write) && + acc(this.value, write) && + ((this.next != null) ==> acc(valid(this.next), write)) +} + +method a(this: Ref) + requires acc(valid(this), write) && acc(this.f, write) + ensures acc(valid(this), write) +{ + unfold acc(valid(this), write) + this.value := 1 + fold acc(valid(this), write) + void(this) + assert itemat(this, 0) == 1 +} + +method void(this: Ref) + requires acc(this.f, write) + ensures acc(this.f, write) +{} diff --git a/src/test/resources/biabduction/vipertests/functions/linkedlists.vpr b/src/test/resources/biabduction/vipertests/functions/linkedlists.vpr new file mode 100644 index 00000000..354b4b49 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/functions/linkedlists.vpr @@ -0,0 +1,163 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +//:: IgnoreFile(/silicon/issue/104/) + +// NOTES (important points are also commented in the code below) +// (1) The definition of list(xs) precludes the case xs==null. But, without unfolding the predicate, this information is not available. This is important for e.g., +// showing that length increases by 1 when prepending. For now, the explicit non-nullity of the argument has been conjoined everywhere. +// (2) The definition of the function ascending in terms of the function head means that framing head is often necessary. This is true even in cases where the head +// element is "clear", e.g. when a postcondition about elems is also written, since relating the sequence to the head() function is not automatic. +// (3) The relationships between different abstractions is not always automatic. For example, the if-condition tail(xs)==null actually implies that elems(xs) has +// length 1 and also that head(xs) == tail(xs). Both of these facts are needed to prove the postconditions of insert. Resorting to limited functions would allow +// manual assertions to trigger these properties. Without limited-functions-style triggering (i.e. only based on fold/unfold of predicates), these must be assumptions + +field next: Ref +field val: Int + +predicate list(xs: Ref) { + acc(xs.next) && acc(xs.val) && (xs.next != null ==> acc(list(xs.next)) && xs.next != null) +} + +function length(xs: Ref): Int + requires acc(list(xs)) && xs != null // (1) + ensures result > 0 +{ unfolding acc(list(xs)) in 1 + (xs.next == null ? 0 : length(xs.next)) } // (1) + +function sum(xs: Ref): Int + requires acc(list(xs)) && xs != null +{ unfolding acc(list(xs)) in xs.val + (xs.next == null ? 0 : sum(xs.next)) } + +function head(xs: Ref): Int + requires acc(list(xs)) && xs != null +{ unfolding acc(list(xs)) in xs.val } + +function tail(xs: Ref): Ref + requires acc(list(xs)) && xs != null +{ unfolding acc(list(xs)) in xs.next } + +function last(xs: Ref): Int + requires acc(list(xs)) && xs != null +{ unfolding acc(list(xs)) in xs.next == null ? xs.val : last(xs.next) } + +function contains(xs: Ref, x: Int): Bool + requires acc(list(xs)) && xs != null +{ unfolding acc(list(xs)) in x == xs.val || (xs.next != null && contains(xs.next, x)) } + +function elems(xs: Ref): Seq[Int] + requires acc(list(xs)) && xs != null +{ unfolding acc(list(xs)) in Seq(xs.val) ++ (xs.next == null ? Seq[Int]() : elems(xs.next)) } + +function get(xs: Ref, index: Int): Int + requires acc(list(xs)) && xs != null + requires 0 <= index && index < length(xs) +{ unfolding acc(list(xs)) in index == 0 ? xs.val : get(xs.next, index - 1) } + +method prepend(xs: Ref, y: Int) returns (ys: Ref) + requires acc(list(xs)) && xs != null + ensures acc(list(ys)) && ys != null + ensures length(ys) == old(length(xs)) + 1 // (1) + ensures elems(ys) == Seq(y) ++ old(elems(xs)) + ensures head(ys) == y // (2) + ensures old(y <= head(xs) && ascending(xs)) ==> ascending(ys) +{ + ys := new(val, next) + ys.val := y + ys.next := xs + fold acc(list(ys)) +} + +method append(xs: Ref, y: Int) + requires acc(list(xs)) && xs != null + ensures acc(list(xs)) && xs != null + ensures length(xs) == old(length(xs)) + 1 + ensures elems(xs) == old(elems(xs)) ++ Seq(y) + ensures head(xs) == old(head(xs)) // (2) + ensures old(y >= last(xs) && ascending(xs)) ==> ascending(xs) // (2) +{ + unfold acc(list(xs)) + + if (xs.next == null) { + var ys: Ref + ys := new(val, next) + ys.val := y + ys.next := null + fold acc(list(ys)) + xs.next := ys + } else { + append(xs.next, y) + } + + fold acc(list(xs)) +} + +function ascending(xs: Ref): Bool + requires acc(list(xs)) && xs != null +{ unfolding acc(list(xs)) in (xs.next == null || (xs.val <= head(xs.next) && ascending(xs.next))) } + +method insert(xs: Ref, y: Int) returns (ys: Ref, i: Int) + requires acc(list(xs)) && xs != null + ensures acc(list(ys)) && ys != null + ensures 0 <= i && i <= old(length(xs)) + ensures (i > 0 ==> head(ys) == old(head(xs))) && (i == 0 ==> head(ys) == y) // (2) + ensures length(ys) == old(length(xs)) + 1 + ensures elems(ys) == old(elems(xs))[0..i] ++ Seq(y) ++ old(elems(xs))[i..] + ensures old(ascending(xs)) ==> ascending(ys) // (2) +{ + if (y <= head(xs)) { + ys := prepend(xs, y) + i := 0 + } elseif (tail(xs) == null) { + assume head(xs) == last(xs) // (3) NOTE: *assumption* is needed without resorting to limited functions + assume |elems(xs)| == 1 // (3) NOTE: *assumption* is needed without resorting to limited functions + append(xs, y) + ys := xs + i := 1 + } else { + unfold acc(list(xs)) + + if (y <= unfolding acc(list(xs.next)) in xs.next.val) { + ys := new(val, next) + ys.val := y + ys.next := xs.next + fold acc(list(ys)) + xs.next := ys + ys := xs + i := 1 + } else { + ys, i := insert(xs.next, y) + xs.next := ys + ys := xs + i := i + 1 + } + + fold acc(list(ys)) + } +} + +/* Misc */ + +/* At some point, Silicon had a small bug in the handling of disjunction, as used + * in the body of ascending(xs). Hence this test. + */ +method test01(xs: Ref) + requires acc(list(xs)) && xs != null && ascending(xs) +{ + unfold acc(list(xs)) + assume xs.next != null + + assert ascending(xs.next) +} + +/* Modelled after a Chalice2Silver test case, uncovered a problem in Silicon */ +method test02(xs: Ref, x: Int, ys: Ref) + requires ys != null + requires acc(list(ys)) + requires acc(xs.val) && acc(xs.next) +{ + xs.val := x + xs.next := ys + + fold acc(list(xs)) + assert forall i: Int :: i in [1..length(xs)) ==> get(xs, i) == unfolding acc(list(xs), write) in get(ys, i - 1) +} diff --git a/src/test/resources/biabduction/vipertests/functions/recursive_unrolling.vpr b/src/test/resources/biabduction/vipertests/functions/recursive_unrolling.vpr new file mode 100644 index 00000000..778c8563 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/functions/recursive_unrolling.vpr @@ -0,0 +1,51 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field next: Ref + +predicate node(this: Ref) { + acc(this.next) && (this.next != null ==> acc(node(this.next))) +} + +function length(this: Ref): Int + requires acc(node(this)) + ensures result > 0 +{ + 1 + unfolding acc(node(this)) in + this.next == null ? 0 : length(this.next) +} + +method test01() { + var n1: Ref; n1 := new(next) + n1.next := null + fold acc(node(n1)) + + var n2: Ref; n2 := new(next) + n2.next := n1 + fold acc(node(n2)) + + var n3: Ref; n3 := new(next) + n3.next := n2 + fold acc(node(n3)) + + var n4: Ref; n4 := new(next) + n4.next := n3 + fold acc(node(n4)) + + var n5: Ref; n5 := new(next) + n5.next := n4 + fold acc(node(n5)) + + assert length(n5) == 5 +} + +method test02(n4: Ref) + requires acc(node(n4)) && length(n4) == 4 +{ + unfold acc(node(n4)) + unfold acc(node(n4.next)) + unfold acc(node(n4.next.next)) + unfold acc(node(n4.next.next.next)) + + assert n4.next.next.next.next == null +} diff --git a/src/test/resources/biabduction/vipertests/predicates/arguments.vpr b/src/test/resources/biabduction/vipertests/predicates/arguments.vpr new file mode 100644 index 00000000..784c9dce --- /dev/null +++ b/src/test/resources/biabduction/vipertests/predicates/arguments.vpr @@ -0,0 +1,90 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + +field f: Int +field g: Int +field unrelatedField: Int + +method unrelated(this: Ref) + requires acc(this.unrelatedField, write) + ensures acc(this.unrelatedField, write) +{} + +predicate valid(this: Ref, b: Bool) { + b ? acc(this.f, write) : acc(this.g, write) +} + +method t1(this: Ref, b: Bool) + requires acc(this.unrelatedField, write) + requires acc(valid(this, b), write) + ensures acc(valid(this, b), write) +{ + unfold acc(valid(this, b), write) + if (b) { + this.f := 1 + } else { + this.g := 2 + } + fold acc(valid(this, b), write) + unrelated(this) +} + +method t2(this: Ref) + requires acc(this.unrelatedField, write) + requires acc(this.f, write) + ensures acc(valid(this, true), write) +{ + fold acc(valid(this, true), write) + unrelated(this) +} + +method t2b(this: Ref) + requires acc(this.f, write) + ensures acc(valid(this, true), write) +{ + //:: ExpectedOutput(fold.failed:insufficient.permission) + fold acc(valid(this, false), write) +} + +method t3(this: Ref, b: Bool) + requires acc(this.unrelatedField, write) + requires acc(valid(this, b), write) + requires acc(valid(this, !b), write) + //:: UnexpectedOutput(not.wellformed:insufficient.permission, /silicon/issue/36/) + requires (unfolding acc(valid(this, false), write) in ((this.g) == 2)) + ensures acc(valid(this, b), write) + ensures acc(valid(this, !b), write) + ensures (unfolding acc(valid(this, false), write) in ((this.g) == 2)) +{ + unfold acc(valid(this, true), write) + this.f := 1 + fold acc(valid(this, true), write) +} + +method t3a(this: Ref, b: Bool) + requires acc(this.unrelatedField, write) + requires acc(valid(this, b), write) + requires acc(valid(this, !b), write) + //:: UnexpectedOutput(not.wellformed:insufficient.permission, /silicon/issue/36/) + requires (unfolding acc(valid(this, false), write) in ((this.g) == 2)) + ensures acc(valid(this, b), write) + ensures acc(valid(this, !b), write) + ensures (unfolding acc(valid(this, false), write) in ((this.g) == 2)) +{ + unfold acc(valid(this, true), write) + this.f := 1 + fold acc(valid(this, true), write) + unrelated(this) +} + +method t3b(this: Ref, b: Bool) + requires acc(valid(this, b), write) + requires acc(valid(this, !b), write) +{ + //:: UnexpectedOutput(unfold.failed:insufficient.permission, /silicon/issue/36/) + unfold acc(valid(this, true), write) + //:: ExpectedOutput(assignment.failed:insufficient.permission) + //:: MissingOutput(assignment.failed:insufficient.permission, /silicon/issue/36/) + this.g := 1 +} diff --git a/src/test/resources/biabduction/vipertests/predicates/different_field_types.vpr b/src/test/resources/biabduction/vipertests/predicates/different_field_types.vpr new file mode 100644 index 00000000..b3a1cb23 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/predicates/different_field_types.vpr @@ -0,0 +1,58 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* These tests are intended to test Silicon's internal concept of 'snapshots'. */ + +field f: Int +field g: Bool + +method test1(x: Ref, b: Bool) + requires b ? acc(x.f) : acc(x.g) + ensures b ? acc(x.f) && x.f == 0 : acc(x.g) && x.g +{ + if (b) { + x.f := 0 + } else { + x.g := true + } +} + +predicate P(x: Ref, b: Bool) { + b ? acc(x.f) : acc(x.g) +} + +method test2(x: Ref, b: Bool) + requires acc(P(x, b)) + ensures b ? acc(x.f) : acc(x.g) +{ + unfold acc(P(x, b)) + + if (b) { + x.f := x.f + 1 + } else { + x.g := !x.g + } +} + +function fun(x: Ref, b: Bool): Bool + requires b ? acc(x.f) : acc(x.g) +{ b ? x.f != 0 : !x.g } + +method test3(x: Ref, b: Bool) + requires acc(P(x, b)) + ensures acc(P(x, b)) +{ + unfold acc(P(x, b)) + + var c: Bool := fun(x, b) + + if (b) { + x.f := x.f + 1 + c := fun(x, b) + } else { + x.g := !x.g + c := fun(x, b) + } + + fold acc(P(x, b)) +} diff --git a/src/test/resources/biabduction/vipertests/predicates/non-aliasing.vpr b/src/test/resources/biabduction/vipertests/predicates/non-aliasing.vpr new file mode 100644 index 00000000..4af85f3d --- /dev/null +++ b/src/test/resources/biabduction/vipertests/predicates/non-aliasing.vpr @@ -0,0 +1,37 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +//:: IgnoreFile(/silicon/issue/40/) + +field next: Ref + +predicate valid(this: Ref) { + acc(this.next, wildcard) && + (((this.next) != (null)) ==> acc(valid(this.next), wildcard)) +} + +method testNestingUnfold(this: Ref) + requires acc(valid(this), wildcard) +{ + unfold acc(valid(this), wildcard) + assert ((this) != (this.next)) + + if (((this.next) != (null))) { + unfold acc(valid(this.next), wildcard) + assert ((this.next) != (this.next.next)) + assert ((this) != (this.next.next)) + } +} + + +predicate valid2(this: Ref) { + acc(this.next) && + (((this.next) != (null)) ==> acc(valid2(this.next))) +} + +method testNestingUnfold2(this: Ref) + requires acc(valid2(this)) +{ + unfold acc(valid2(this)) + assert ((this) != (this.next)) +} diff --git a/src/test/resources/biabduction/vipertests/tree-delete-min/tree_delete_min.vpr b/src/test/resources/biabduction/vipertests/tree-delete-min/tree_delete_min.vpr new file mode 100644 index 00000000..ab5bf620 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/tree-delete-min/tree_delete_min.vpr @@ -0,0 +1,93 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + + +/* This example shows how magic wands can be used to specify the + * imperative version of challenge 3 from the VerifyThis@FM2012 + * verification competition. Method tree_delete_min below is an + * iterative implementation of the removal of the minimal element + * in a binary search tree. + * + * The example contains two assertions (marked with "TODO") that + * help overcoming an incompleteness with respect to sequences. + * + * At present, this example uses syntax which is only supported + * by the default Viper verifier (Silicon). + */ + +field v: Int +field l: Ref +field r: Ref + +predicate Tree(x: Ref) { + x == null + ? true + : acc(x.v) + && acc(x.l) && acc(Tree(x.l)) + && acc(x.r) && acc(Tree(x.r)) +} + +function val(x: Ref): Int + requires x != null && acc(Tree(x)) +{ unfolding acc(Tree(x)) in x.v } + +function vals(x: Ref): Seq[Int] + requires acc(Tree(x)) +{ x == null ? Seq[Int]() : unfolding acc(Tree(x)) in vals(x.l) ++ Seq(x.v) ++ vals(x.r) } + +/* Deletes the minimal element of a binary tree, assuming that the + * tree is a binary search tree (which, for simplicity, is not made + * explicit in the definition of predicate Tree). + */ +method tree_delete_min(x: Ref) returns (z: Ref) + requires x != null && acc(Tree(x)) + ensures acc(Tree(z)) /* POST1 */ + ensures vals(z) == old(vals(x))[1..] /* POST2 */ +{ + var p: Ref := x + var plvs: Seq[Int] + + define A acc(p.l) && acc(Tree(p.l)) && vals(p.l) == plvs[1..] + define B acc(Tree(x)) && vals(x) == old(vals(x))[1..] + + unfold acc(Tree(p)) + plvs := vals(p.l) + + if (p.l == null) { + z := p.r + + assert vals(x.l) == Seq[Int]() /* TODO: Required by Silicon for POST2 */ + } else { + package (A) --* B { + fold acc(Tree(p)) + } + + while (unfolding acc(Tree(p.l)) in p.l.l != null) + invariant p != null && acc(p.l) && acc(Tree(p.l)) && p.l != null + invariant plvs == vals(p.l) + invariant A --* B + { + var oldP: Ref := p + var oldPlvs: Seq[Int] := plvs + + unfold acc(Tree(p.l)) + p := p.l + plvs := vals(p.l) + + package (A) --* B { + fold Tree(p) + apply (acc(oldP.l) && acc(Tree(oldP.l)) && vals(oldP.l) == oldPlvs[1..]) --* + (acc(Tree(x)) && vals(x) == old(vals(x))[1..]) + } + } + + unfold acc(Tree(p.l)) + assert vals(p.l.l) == Seq[Int]() /* TODO: Required by Silicon for POST2 */ + + p.l := p.l.r + + apply A --* B + + z := x + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/Assume.vpr b/src/test/resources/biabduction/vipertests/wands/Assume.vpr new file mode 100644 index 00000000..fa52d53d --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/Assume.vpr @@ -0,0 +1,20 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field val: Int +field next: Ref +field hasNext: Bool + +predicate LinkedList(x: Ref) { + acc(x.val) && acc(x.next) && acc(x.hasNext) && (x.hasNext ==> LinkedList(x.next)) +} + +method test0(x: Ref) +requires LinkedList(x) +ensures LinkedList(x) +{ + package LinkedList(x) --* acc(x.next) && LinkedList(x.next) { + unfold LinkedList(x) + assume x.hasNext + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/IfElsePackage.vpr b/src/test/resources/biabduction/vipertests/wands/IfElsePackage.vpr new file mode 100644 index 00000000..298a22a4 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/IfElsePackage.vpr @@ -0,0 +1,23 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field b: Bool +field f: Ref + +predicate Cell(x: Ref) { + acc(x.b) && acc(x.f) && (x.b ==> Cell(x.f)) +} + +method test0(x: Ref) +{ + package Cell(x) --* acc(x.f) && acc(x.b) && (x.b ? acc(x.f.b) : false) { + unfold Cell(x) + if(x.b) { + unfold Cell(x.f) + } else { + assume false + } + assert x.b ==> acc(x.f.b) + } + exhale Cell(x) --* acc(x.f) && acc(x.b) && (x.b ? acc(x.f.b) : false) +} diff --git a/src/test/resources/biabduction/vipertests/wands/ListIterator.vpr b/src/test/resources/biabduction/vipertests/wands/ListIterator.vpr new file mode 100644 index 00000000..c27ba779 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/ListIterator.vpr @@ -0,0 +1,347 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* This example is based on the list iterator example, created by Blom and Huisman, which is available at + * https://github.com/utwente-fmt/vercors/blob/master/examples/witnesses/ListIterator.java. + * + * This example encodes an iterator over a linked list. The iterator protocol consists of 3 states: + * "ready" is the initial state + * "ready for Node_next" indicates that the iterator can advance a step + * "ready for remove" indicates that the Iterator_current element can be removed from the list + * + * The protocol followed indicates, that the Iterator_hasNext() method of the iterator in the "ready" state can be used + * to transition to the "ready for Node_next" state iff there is a Node_next element in the list. Furthermore the iterator's + * Node_next() method can only be called in the "ready for Node_next" state and transitions the iterator to the "redy for + * remove" state. From the "ready for remove" state it is possible to transition to the ready state directly or + * by calling the Iterator_remove() method to remove the Iterator_current item. It is moreover possible to get back access to the + * linked list by giving up access to the iterator in the "ready" state. + */ + +//main method used as an example execution using the Iterator class +method main(l: Ref) +requires l!=null && List_state(l) +ensures l!=null && List_state(l) { + var b: Bool + + //add some values to the list + List_put(l, 1) + List_put(l, 0) + List_put(l, -1) + + //create an iterator + var i: Ref + i := Iterator_new(l) + + //check if there is a first element + b := Iterator_hasNext(i) + + //loop over the list using the iterator + while(b) + invariant b ==> Iterator_readyForNext(i) + invariant !b ==> Iterator_ready(i) { + + //get the next value in the list + var tmp: Int + tmp := Iterator_next(i) + + //transition to the "ready" state by... + if (tmp < 0) { + + //...removing the element + Iterator_remove(i) + } else { + + //...using the provided magic wand for a direct transition + apply Iterator_readyForRemove(i) --* Iterator_ready(i) + } + + //check if the end of the list has been reached + b := Iterator_hasNext(i) + } + + //get back access to the list, by giving up the iterator + apply Iterator_ready(i) --* List_state(l) +} + +//////////////////////Iterator class////////////////////// + +//fields of the iterator +field Iterator_iteratee: Ref +field Iterator_current: Ref +field Iterator_last: Ref + +//encodes the "ready" state +predicate Iterator_ready(this: Ref) { + + //needs a list to iterate over + acc(this.Iterator_iteratee, 1/2) && this.Iterator_iteratee!=null + && acc(this.Iterator_iteratee.List_sentinel) && this.Iterator_iteratee.List_sentinel!=null + + //needs access to the current and previous entry and the current entry cannot be null + && acc(this.Iterator_current) && acc(this.Iterator_last) && this.Iterator_current!=null + + //needs access to the fields of the current node + && acc(this.Iterator_current.Node_val) && acc(this.Iterator_current.Node_next)&&acc(this.Iterator_current.Node_prev) + + //only the sentinel node has no predecessor + && (this.Iterator_current.Node_prev == null ==> this.Iterator_current == this.Iterator_iteratee.List_sentinel) + + //the predicate structure of the previous part of the list has been reversed + && (this.Iterator_current.Node_prev != null ==> Node_reverse(this.Iterator_current.Node_prev) + && Node_first(this.Iterator_current.Node_prev) == this.Iterator_iteratee.List_sentinel + && Node_rev_next(this.Iterator_current.Node_prev) == this.Iterator_current) + + //the remainder of the list has not been reversed + && (this.Iterator_current.Node_next != null ==> Node_state(this.Iterator_current.Node_next))} + +//encodes the "ready for next" state +predicate Iterator_readyForNext(this: Ref) { + + //needs a list to iterate over + acc(this.Iterator_iteratee, 1/2) && this.Iterator_iteratee!=null + && acc(this.Iterator_iteratee.List_sentinel) && this.Iterator_iteratee.List_sentinel!=null + + //needs access to the current and previous entry and the current entry cannot be null + && acc(this.Iterator_current) && acc(this.Iterator_last) && this.Iterator_current!=null + + //needs access to the fields of the current node + && acc(this.Iterator_current.Node_val) && acc(this.Iterator_current.Node_next) && acc(this.Iterator_current.Node_prev) + + //only the sentinel node has no predecessor + && (this.Iterator_current.Node_prev == null ==> this.Iterator_current == this.Iterator_iteratee.List_sentinel) + + //the predicate structure of the previous part of the list has been reversed + && (this.Iterator_current.Node_prev!=null ==> Node_reverse(this.Iterator_current.Node_prev) + && Node_first(this.Iterator_current.Node_prev) == this.Iterator_iteratee.List_sentinel + && Node_rev_next(this.Iterator_current.Node_prev) == this.Iterator_current) + + //the remainder of the list has not been reversed + && (this.Iterator_current.Node_next != null ==> Node_state(this.Iterator_current.Node_next)) + + //we now additionally know that there is a next element + && this.Iterator_current.Node_next != null} + +//encodes the "ready for remove" state +predicate Iterator_readyForRemove(this: Ref) { + + //needs a list to iterate over + acc(this.Iterator_iteratee, 1/2) && this.Iterator_iteratee != null + && acc(this.Iterator_iteratee.List_sentinel) && this.Iterator_iteratee.List_sentinel != null + + //needs access to the current and previous entry and the current entry cannot be null + && acc(this.Iterator_current) && acc(this.Iterator_last) && this.Iterator_current!=null + + //needs access to the fields of the current node + && acc(this.Iterator_current.Node_val) && acc(this.Iterator_current.Node_next) && acc(this.Iterator_current.Node_prev) + + //only the sentinel node has no predecessor + && (this.Iterator_current.Node_prev == null ==> this.Iterator_current == this.Iterator_iteratee.List_sentinel) + + //the remainder of the list has not been reversed + && (this.Iterator_current.Node_next != null ==> Node_state(this.Iterator_current.Node_next)) + + //the predecessor of current is last + && this.Iterator_current.Node_prev == this.Iterator_last + + //there is a previous node, i.e. current is not the sentinel node and we have access to its fields + && this.Iterator_last != null && acc(this.Iterator_last.Node_val) && acc(this.Iterator_last.Node_next) + && acc(this.Iterator_last.Node_prev) + + //if the previous node has no predecessor it is the sentinel node + && (this.Iterator_last.Node_prev == null ==> this.Iterator_last == this.Iterator_iteratee.List_sentinel) + + //the predicate structure of the part of the list before last has been reversed + && (this.Iterator_last.Node_prev != null ==> Node_reverse(this.Iterator_last.Node_prev) + && Node_first(this.Iterator_last.Node_prev) == this.Iterator_iteratee.List_sentinel + && Node_rev_next(this.Iterator_last.Node_prev) == this.Iterator_last) + + //the next element after last is current + && this.Iterator_last.Node_next == this.Iterator_current} + +//create an iterator for the list l +method Iterator_new(l: Ref) returns (this: Ref) +requires l!=null && List_state(l) +ensures Iterator_ready(this) + +//the wand can be used to get back access to the list by giving up permissions to the iterator +ensures Iterator_ready(this) --* List_state(l) { + this := new(Iterator_iteratee,Iterator_current,Iterator_last) + unfold List_state(l) + this.Iterator_current := l.List_sentinel + unfold Node_state(this.Iterator_current) + this.Iterator_current.Node_prev := null + this.Iterator_iteratee := l + fold Iterator_ready(this) + + package Iterator_ready(this) --* List_state(l) { + unfold Iterator_ready(this) + fold Node_state(this.Iterator_current) + + //the predicate structure of the part of the list before current has been reversed. This needs to be undone. + if (Node_get_prev(this.Iterator_current) != null){ + Node_swap(Node_get_prev(this.Iterator_current), this.Iterator_iteratee.List_sentinel, this.Iterator_current) + } + + /* transferring the remaining 1/2 permissions to this.Iterator_iteratee into the + * footprint ensures, that its value cannot be chaned, i.e. stays l. + */ + assert acc(this.Iterator_iteratee) + fold List_state(l) + } +} + +//check whether there is a next node in the list and transition to the appropriate state +method Iterator_hasNext(this: Ref) returns (res: Bool) +requires Iterator_ready(this) + +//we only transition to the "ready for next" state of there is a next element +ensures res ==> Iterator_readyForNext(this) + +//and stay in the "ready" state otherwise +ensures !res ==> Iterator_ready(this) { + unfold Iterator_ready(this) + res := this.Iterator_current.Node_next != null + if(!res) { + fold Iterator_ready(this) + } else { + fold Iterator_readyForNext(this) + } +} + +//iterate +method Iterator_next(this: Ref) returns (res: Int) +requires Iterator_readyForNext(this) +ensures Iterator_readyForRemove(this) + +//the wand can be used to transition ot the "ready" state directly, without removing the current element +ensures Iterator_readyForRemove(this) --* Iterator_ready(this) { + unfold Iterator_readyForNext(this) + this.Iterator_last:=this.Iterator_current + this.Iterator_current:=this.Iterator_current.Node_next + unfold Node_state(this.Iterator_current) + res := this.Iterator_current.Node_val + this.Iterator_current.Node_prev:=this.Iterator_last + fold Iterator_readyForRemove(this) + + package Iterator_readyForRemove(this) --* Iterator_ready(this) { + unfold Iterator_readyForRemove(this) + + //adds the previous node to the reversed part of the list + fold Node_reverse(this.Iterator_current.Node_prev) + + fold Iterator_ready(this) + } +} + +//remove the current node from the list +method Iterator_remove(this: Ref) +requires Iterator_readyForRemove(this) +ensures Iterator_ready(this) { + unfold Iterator_readyForRemove(this) + this.Iterator_last.Node_next := this.Iterator_current.Node_next + this.Iterator_current := this.Iterator_last + fold Iterator_ready(this) +} + +//////////////////////List class////////////////////// + +//the sentinel is a node prepended before the first element of the list and is not part of the list +field List_sentinel: Ref + +//represents a valid list +predicate List_state(this: Ref){ + acc(this.List_sentinel) && this.List_sentinel != null && Node_state(this.List_sentinel)} + +//create a new empty list +method List_new() returns (this: Ref) +ensures List_state(this) { + this := new(List_sentinel) + var sent: Ref + sent := Node_new(0,null) + this.List_sentinel := sent + fold List_state(this) +} + +//add an element to the list +method List_put(this: Ref, v: Int) +requires List_state(this) +ensures List_state(this) { + unfold List_state(this) + unfold Node_state(this.List_sentinel) + var sentNode_next: Ref + sentNode_next := Node_new(v,this.List_sentinel.Node_next) + this.List_sentinel.Node_next := sentNode_next + fold Node_state(this.List_sentinel) + fold List_state(this) +} + +//////////////////////Node class of linked list////////////////////// + +//fields of the node +field Node_val: Int +field Node_prev: Ref +field Node_next: Ref + +//a valid list +predicate Node_state(this: Ref) { + acc(this.Node_val) && acc(this.Node_prev) && acc(this.Node_next) + && (this.Node_next != null ==> Node_state(this.Node_next))} + +//a valid list, with a reversed predicate structure +//i.e. the outer most predicate instance represents the last element of the list +predicate Node_reverse(this: Ref) { + acc(this.Node_val) && acc(this.Node_prev) && acc(this.Node_next) + && (this.Node_prev != null ==> Node_reverse(this.Node_prev) && Node_rev_next(this.Node_prev) == this)} + +//getters +function Node_get_next(this: Ref): Ref +requires Node_state(this) { + unfolding Node_state(this) in this.Node_next} + +function Node_get_prev(this: Ref): Ref +requires Node_state(this) { + unfolding Node_state(this) in this.Node_prev} + +function Node_rev_next(this: Ref): Ref +requires Node_reverse(this) { + unfolding Node_reverse(this) in this.Node_next} + +function Node_rev_prev(this: Ref): Ref +requires Node_reverse(this) { + unfolding Node_reverse(this) in this.Node_prev} + +//finds the first node of a list +function Node_first(this: Ref): Ref + requires Node_reverse(this) +{ + unfolding Node_reverse(this) in (this.Node_prev==null) ? this : Node_first(this.Node_prev)} + +//create a new node +method Node_new(v: Int, n: Ref) returns (this: Ref) +requires n != null ==> Node_state(n) +ensures Node_state(this) && Node_get_next(this) == n +ensures this != null { + this := new(Node_val, Node_prev, Node_next) + this.Node_val := v + this.Node_next := n + fold Node_state(this) +} + +//used to undo the reversal of the predicate structure +method Node_swap(this: Ref, fst: Ref, nxt: Ref) +requires fst != null && Node_reverse(this) && Node_rev_next(this) == nxt && (nxt != null ==> Node_state(nxt)) && Node_first(this) == fst +ensures fst != null && Node_state(fst) { + unfold Node_reverse(this) + if (this.Node_prev == null) { + + //we have reached the beginning of the list => after undoing the reversal of the predicate we are done + fold Node_state(this) + } else { + + //we have not reached the beginning of the list, yet + //=> undo reversal of current predicate and recursively undo reversal of the remainder of the list + var tmp: Ref := this.Node_prev + fold Node_state(this) + Node_swap(tmp, fst,this) + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/SnapshotsBranching.vpr b/src/test/resources/biabduction/vipertests/wands/SnapshotsBranching.vpr new file mode 100644 index 00000000..d3d9d7af --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/SnapshotsBranching.vpr @@ -0,0 +1,32 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +//:: IgnoreFile(/carbon/issue/216/) +field a: Int +field b: Int +field c: Int + +method test0(x: Ref) +requires acc(x.a) && acc(x.b) && acc(x.c) +ensures acc(x.a) && acc(x.b) && acc(x.c) && x.a == old(x.a) && x.b == old(x.b) && x.c == old(x.c) { + package acc(x.a) --* acc(x.a) && (x.a == 0 ? acc(x.b) : acc(x.c)) + apply acc(x.a) --* acc(x.a) && (x.a == 0 ? acc(x.b) : acc(x.c)) +} + +method test1(x: Ref) +requires acc(x.a) && acc(x.b) && acc(x.c) +ensures acc(x.a) && acc(x.b) && acc(x.c) && x.a == old(x.a) && x.b == old(x.b) && x.c == old(x.c) { + package acc(x.a) --* acc(x.a) && (x.a == 0 ? (true --* acc(x.b)) : (true --* acc(x.c))) { + if (x.a == 0) { + package true --* acc(x.b) + } else { + package true --* acc(x.c) + } + } + apply acc(x.a) --* acc(x.a) && (x.a == 0 ? (true --* acc(x.b)) : (true --* acc(x.c))) + if (x.a == 0) { + apply true --* acc(x.b) + } else { + apply true --* acc(x.c) + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/SnapshotsNestedMagicWands.vpr b/src/test/resources/biabduction/vipertests/wands/SnapshotsNestedMagicWands.vpr new file mode 100644 index 00000000..94af3cb2 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/SnapshotsNestedMagicWands.vpr @@ -0,0 +1,59 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +//:: IgnoreFile(/carbon/issue/216/) +field f: Int +field g: Int + +predicate Cell(x: Ref) { + acc(x.f) +} + +method test0(x: Ref) +requires acc(x.f) && acc(x.g) +ensures acc(x.f) && acc(x.g) && x.f == old(x.f) && x.g == old(x.g) { + package true --* acc(x.f) && (true --* acc(x.g)) { + package (true --* acc(x.g)) + } + apply true --* acc(x.f) && (true --* acc(x.g)) + apply true --* acc(x.g) +} + +method test1(x: Ref) +requires acc(x.f) +ensures acc(x.f) && x.f == old(x.f) { + package true --* (true --* acc(x.f)) { + package true --* acc(x.f) + } + apply true --* (true --* acc(x.f)) + apply true --* acc(x.f) +} + +method test2(x: Ref) +requires acc(x.f) && acc(x.g) +ensures acc(x.f) && acc(x.g) && x.f == old(x.f) && x.g == old(x.g) { + package acc(x.f) && acc(x.g) --* acc(x.f) && acc(x.g) && (acc(x.g) --* acc(x.g)) { + package (acc(x.g) --* acc(x.g)) + } + apply acc(x.f) && acc(x.g) --* acc(x.f) && acc(x.g) && (acc(x.g) --* acc(x.g)) + apply acc(x.g) --* acc(x.g) +} + +method test3(x: Ref) +requires acc(x.f) +ensures acc(x.f) && x.f == old(x.f) { + package acc(x.f) --* acc(x.f) { + package true --* true + } + apply acc(x.f) --* acc(x.f) +} + +method test4(x: Ref) +requires acc(x.f) +ensures acc(x.f) && x.f == old(x.f) { + package true --* acc(x.f) + package true --* acc(x.f) { + apply true --* acc(x.f) + } + apply true --* acc(x.f) +} diff --git a/src/test/resources/biabduction/vipertests/wands/UnfoldPredicateOnField.vpr b/src/test/resources/biabduction/vipertests/wands/UnfoldPredicateOnField.vpr new file mode 100644 index 00000000..ecec237a --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/UnfoldPredicateOnField.vpr @@ -0,0 +1,16 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field f: Ref + +predicate Cell(x: Ref) { + acc(x.f) +} + +method test0(x: Ref) +requires acc(x.f) && Cell(x.f) +{ + package acc(x.f) && Cell(x.f) --* acc(x.f) && acc(x.f.f) { + unfold Cell(x.f) + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/VariableAccess.vpr b/src/test/resources/biabduction/vipertests/wands/VariableAccess.vpr new file mode 100644 index 00000000..3193f3fd --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/VariableAccess.vpr @@ -0,0 +1,25 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field next: Ref + +predicate TrueListNode(x: Ref) { + acc(x.next) && x.next != null && acc(x.next.next) +} + +function getNext(x: Ref): Ref +requires TrueListNode(x) { + unfolding TrueListNode(x) in x.next +} + +method test0(x: Ref) +requires acc(x.next){ + var n: Ref + n := new(next) + x.next := n + package true --* TrueListNode(x) && getNext(x) == n { + var tmp: Ref := n + assert acc(x.next) && x.next == tmp + fold TrueListNode(x) + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/conditionals.vpr b/src/test/resources/biabduction/vipertests/wands/conditionals.vpr new file mode 100644 index 00000000..0c5561f6 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/conditionals.vpr @@ -0,0 +1,110 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* This example illustrates the behaviour of conditionals on the RHS + * of a wand, in particular, which uncertainties are caused when the + * footprint of a wand is affected by locations to which permissions + * are provided by the LHS. + */ + +field f: Bool +field g: Int +field h: Ref + +method conditionals01(x: Ref) + requires acc(x.f) && acc(x.g) +{ + define A acc(x.f) + define B acc(x.f) && (x.f ==> acc(x.g)) + + // The current state holds permissions to x.f and x.g, and x.f has some + // unknown value b (the value of x.g is irrelevant). The current state + // thus satisfies the assertion: + // + // acc(x.f) * x.f == b * acc(x.g) + + package A --* B + // The LHS provides a hypothetical state in which x.f has some value b'. + // Since the value of b' is unknown, acc(x.g) is effectively part of the + // footprint of the wand. The current state now satisfies: + // + // acc(x.f) * x.f == b * (!b' ==> acc(x.g)) * (A --* B) + + apply A --* B + // Applying the wand instance requires giving up permissions to x.f, but + // we gain them back right away. x.f has an unknown value b'' (in + // principle, this should be the same unknown value b as before the + // apply; see regression/issue024.vpr for a discussion of this issue). + // Depending on b'' (i.e. the value of x.f), we potentially also got + // permissions to x.g from the apply. The current state thus satisfies: + // + // acc(x.f) * x.f == b'' * (!b' ==> acc(x.g)) * (b'' ==> acc(x.g)) + // + // The third conjunct is essentially garbage since we will not be able to + // deduce anything about b'. + + if (x.f) { + // We gained clarity about the value b'' that x.f has, resulting in: + // + // acc(x.f) * x.f == true * acc(x.g) + assert acc(x.g) + } + + // assert acc(x.g) // Will (and must) fail +} + +method conditionals02(x: Ref) + requires acc(x.f) && acc(x.g, write) && acc(x.h, write) +{ + define A acc(x.f) + define B acc(x.f) && (x.f ? acc(x.g) : acc(x.h)) + + // The current state holds permissions to x.f, x.g and x.h, and x.f has + // some unknown value b (the other values are irrelevant). + // The current state thus satisfies the assertion: + // + // acc(x.f) * x.f == b * acc(x.g) * acc(x.h) + + package A --* B + // The LHS provides a hypothetical state in which x.f has some value b'. + // Since the value of b' is unknown, both acc(x.g) and acc(x.h) must be + // part of the footprint of the wand. The current state thus satisfies: + // + // acc(x.f) * x.f == b * (!b' ? acc(x.g) : acc(x.h)) * (A --* B) + + apply A --* B + // After applying the wand, x.f has an unknown value b'' (resulting from an + // incompleteness in our implementation, as explained above). + // Depending on b'', we either got (back) permissions to x.g or to x.h. + // The current state thus satisfies: + // + // acc(x.f) * x.f == b'' * (!b' ? acc(x.g) : acc(x.h)) * + // (b'' ? acc(x.g) : acc(x.h)) + // + // In contrast to the situation above, however, this time we are (and the + // verifier is, too) able to deduce that we are now back in a state that + // satisfies the following assertion: + // + // acc(x.f) * acc(x.g) * acc(x.h) + // + // The reason for this is the separating conjunction, in particular, the + // fact that acc(x.f) * acc(x.f) is equivalent to false. Let us consider + // the truth table for b' and b'' (where t/f stand for true/false), and + // the implications of the their values on the assertion from above (the + // one after the apply statement; ignoring x.f): + // + // b' | b'' | assertion + // ----------------------------------- + // t | t | acc(x.h) * acc(x.g) + // t | f | acc(x.h) * acc(x.h) + // f | t | acc(x.g) * acc(x.g) + // f | f | acc(x.g) * acc(x.h) + // ----------------------------------- + // + // Hence, we now know that the footprint of the wand we packaged and + // applied either comprised acc(x.g) or acc(x.h), but not both, and that + // we are now again in a state where we hold permissions to all three + // fields. + + assert acc(x.f) && acc(x.g) && acc(x.h) +} diff --git a/src/test/resources/biabduction/vipertests/wands/eval_states.vpr b/src/test/resources/biabduction/vipertests/wands/eval_states.vpr new file mode 100644 index 00000000..661ed42f --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/eval_states.vpr @@ -0,0 +1,64 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field f: Int +field g: Int +field h: Ref + +method test01(x: Ref) + requires acc(x.f, 1/2) --* acc(x.f) && x.f == 0 + requires acc(x.f, 1/2) + ensures acc(x.f) /* Consumed from the consume-heap h */ + && x.f == 0 /* Needs to be evaluated in the eval-heap σ.h */ +{ + apply acc(x.f, 1/2) --* acc(x.f) && x.f == 0 +} + +method test02(x: Ref) + requires true --* true +{ + package + acc(x.g) && x.g > 0 + --* acc(x.g) /* Transfer acc(x.g) from σLHS to σUsed */ + && x.g > 0 /* Needs to be evaluated in σUsed */ { + apply true --* true + } +} + +predicate Emp(l: Ref) { true } + +method test03(l: Ref) + requires l != null + requires true --* acc(l.h) && acc(Emp(l.h)) +{ + package true --* acc(l.h) { + apply true --* acc(l.h) && acc(Emp(l.h)) + /* Permissions gained from applying the wand are pushed as a new heap to + * the top of the reserve heaps */ + unfold acc(Emp(l.h)) /* Thus, l.h must be evaluated in the top reserve heap */ + } +} + +predicate P(x: Ref) { acc(x.h) && x.h != null && acc(x.h.h) && x.h.h != null } +predicate Q(x: Ref) { acc(x.h) && x.h != null } + +method test04(l: Ref) { + package acc(P(l)) --* acc(l.h) && acc(Q(l.h)) { + unfold P(l) + /* Permissions gained from unfolding P(l) are pushed as a new heap + * to the top of the reserve heaps. */ + fold Q(l.h) + /* When consuming the body of Q(l.h), evaluations need to happen in + * the heap in which the consumption was started (e.g., in σUsed). + * + * When producing Q(l.h) (which is produced *into* σUsed) l.h needs + * to be evaluated in the top reserve heap. */ + } +} + +method test05(l: Ref) { + package acc(P(l)) --* acc(Q(l)) { + unfold P(l) + fold Q(l) + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/folding.vpr b/src/test/resources/biabduction/vipertests/wands/folding.vpr new file mode 100644 index 00000000..f99268a3 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/folding.vpr @@ -0,0 +1,107 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field f: Int +field g: Int + +predicate Pair(this: Ref) { + acc(this.f, write) && acc(this.g, write) +} + +function sum(p: Ref): Int + requires acc(Pair(p), write) +{ + unfolding acc(Pair(p), write) in (p.f) + (p.g) +} + +//method test06() { +// var p: Ref +// p := new(f, g) +// +// p.g := 0; +// +// package +// //:: ExpectedOutput(wand.not.wellformed) +// (acc(p.f, write) && p.f > 0) +// --* +// folding acc(Pair(p), write) in (sum(p) > 0) // rhs is not self-framing +//} + +method test00(p: Ref) + requires acc(Pair(p)) + requires sum(p) > 0 +{ + package true --* acc(Pair(p), write) && sum(p) > 0 +} + +//method test01() { +// var p: Ref +// p := new(f, g) +// +// p.g := 0; +// +// package +// (acc(p.f, write) && p.f > 0) +// --* +// folding acc(Pair(p), write) in (acc(Pair(p), write) && sum(p) > 0) +// +//// assert acc(p.f, write) +//// //:: ExpectedOutput(assert.failed:insufficient.permission) +//// assert acc(p.g, write) +//} + +//method test02() +//{ +// var p: Ref +// p := new(f, g) +// +// p.g := -1; +// +// //:: ExpectedOutput(package.failed:assertion.false) +// package +// (acc(p.f, write) && p.f > 0) +// --* +// folding acc(Pair(p), write) in (acc(Pair(p), write) && sum(p) > 0) +//} +// +//method test03() { +// var p: Ref +// p := new(f, g) +// +// exhale acc(p.g, 1/2) +// +// //:: ExpectedOutput(package.failed:insufficient.permission) +// package +// (acc(p.f, write) && p.f > 0) +// --* +// folding acc(Pair(p), write) in (acc(Pair(p), write) && sum(p) > 0) +//} +// +//method test04(p: Ref) +// requires (acc(p.f, write) && p.f > 0) --* (acc(Pair(p), write) && sum(p) > 0) +// requires acc(p.f, write) +//{ +// p.f := 1 +// apply (acc(p.f, write) && p.f > 0) --* (acc(Pair(p), write) && sum(p) > 0) +// +// assert acc(Pair(p), write) && sum(p) > 0 +// //:: ExpectedOutput(assert.failed:insufficient.permission) +// assert acc(p.f, write) +//} +// +//method test05() { +// var p: Ref +// p := new(f, g) +// +// p.g := 0; +// +// package +// (acc(p.f, write) && p.f > 0) +// --* +// folding acc(Pair(p), write) in (acc(Pair(p), write) && sum(p) > 0) +// +// test04(p) +// +// //:: ExpectedOutput(assert.failed:wand.not.found) +// assert (acc(p.f, write) && p.f > 0) --* (acc(Pair(p), write) && sum(p) > 0) +//} diff --git a/src/test/resources/biabduction/vipertests/wands/issue009.vpr b/src/test/resources/biabduction/vipertests/wands/issue009.vpr new file mode 100644 index 00000000..ab282caa --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/issue009.vpr @@ -0,0 +1,26 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field f: Ref + +predicate P(x: Ref) { acc(x.f) && acc(x.f.f) } +predicate Q(y: Ref) { acc(y.f) } + +method test01(z: Ref) + requires acc(P(z)) +{ + package (acc(P(z))) --* acc(z.f) && acc(Q(z.f)) { + unfold acc(P(z)) + fold acc(Q(z.f)) + } +} + +//method test02(z: Ref) +// requires true --* acc(z.f) && acc(z.f.f) +//{ +// package true +// --* +// applying (true --* acc(z.f) && acc(z.f.f)) in +// folding acc(Q(z.f)) in +// acc(z.f) && acc(Q(z.f)) +//} diff --git a/src/test/resources/biabduction/vipertests/wands/let_wands.vpr b/src/test/resources/biabduction/vipertests/wands/let_wands.vpr new file mode 100644 index 00000000..04c77a4b --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/let_wands.vpr @@ -0,0 +1,147 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field f: Int +field g: Int + +predicate Pair(this: Ref) { + acc(this.f) && acc(this.g) +} + +function sum(p: Ref): Int + requires acc(Pair(p)) +{ unfolding acc(Pair(p)) in (p.f) + (p.g) } + +method test01(x: Ref) + requires acc(x.f) + ensures acc(x.f) +{ + var w: Int := x.f + package acc(x.f) && x.f == w --* acc(x.f) && x.f == old(x.f) + + apply acc(x.f) && x.f == old(x.f) --* acc(x.f) && x.f == w +} + +method test02(x: Ref) + requires acc(x.f) + ensures acc(x.f) +{ + var w: Int := x.f + package acc(x.f) && x.f == w --* acc(x.f) && x.f == old(x.f) + + x.f := 0 + + //:: ExpectedOutput(apply.failed:assertion.false) + apply acc(x.f) && x.f == w --* acc(x.f) && x.f == old(x.f) +} + +method test03(x: Ref) + requires acc(x.f) + requires let a == (x.f) in acc(x.f) && x.f == a --* acc(x.f) && x.f == a +{ + var w: Int := x.f + apply acc(x.f) && x.f == w --* acc(x.f) && x.f == old(x.f) +} + +method test04(x: Ref) + requires acc(x.f) + requires let a == (x.f) in acc(x.f) && x.f == a --* acc(x.f) && x.f == 0 +{ + var w: Int := x.f + x.f := 0 + //:: ExpectedOutput(apply.failed:assertion.false) + apply acc(x.f) && x.f == w --* acc(x.f) && x.f == 0 +} + +method test05(x: Ref, y: Ref) + requires acc(Pair(x)) + requires let a == (sum(x)) in acc(Pair(x)) && sum(x) == a --* acc(y.f) + ensures acc(y.f) +{ + unfold acc(Pair(x)) + fold acc(Pair(x)) + + var w: Int := sum(x) + apply acc(Pair(x)) && sum(x) == w --* acc(y.f) +} + +method test07(x: Ref, y: Ref) + requires acc(Pair(x)) + requires let a == (sum(x)) in acc(Pair(x)) && sum(x) == a --* acc(y.f) + ensures acc(y.f) +{ + unfold acc(Pair(x)) + x.f := x.g + fold acc(Pair(x)) + + //:: ExpectedOutput(apply.failed:assertion.false) + apply acc(Pair(x)) && sum(x) == old(sum(x)) --* acc(y.f) +} + +method test08(x: Ref) + requires acc(x.f) && acc(x.g) +{ + define A acc(x.f) + define B acc(Pair(x)) && sum(x) == (old[lhs](x.f) + old(x.g)) + + package (A) --* B { + fold acc(Pair(x)) + } + apply A --* B + + unfold acc(Pair(x)) + + //:: ExpectedOutput(assert.failed:assertion.false) + assert false +} + +method test10(b: Bool, x: Ref) + requires x != null + requires acc(x.f) +{ + x.f := 1 + var w: Int := x.f + package acc(x.f) && x.f == w - 1 --* acc(x.f) && x.f == 0 + + exhale acc(x.f) && x.f == 0 --* acc(x.f) && x.f == 0 + + w := x.f + package acc(x.f) && x.f == w - 1 --* acc(x.f) && x.f == 0 + + x.f := 10 + + //:: ExpectedOutput(exhale.failed:wand.not.found) + exhale acc(x.f) && x.f == 10 --* acc(x.f) && x.f == 0 +} + +method test11(b: Bool, x: Ref) + requires x != null + requires acc(x.f) +{ + var w: Int := x.f + package acc(x.f) && x.f > w --* acc(x.f) + + x.f := x.f + 1 + apply acc(x.f) && x.f > w --* acc(x.f) + + w := x.f + package acc(x.f) && x.f > w --* acc(x.f) + + x.f := x.f + 1 + w := x.f + + //:: ExpectedOutput(exhale.failed:wand.not.found) + exhale acc(x.f) && x.f > w --* acc(x.f) +} + +method test12(x: Ref, y: Ref) + requires acc(Pair(x)) + requires let a == (sum(x)) in acc(Pair(x)) && sum(x) == a --* acc(y.f) +{ + var w: Int := sum(x) + + //:: ExpectedOutput(package.failed:insufficient.permission) + package (acc(Pair(x)) && sum(x) == w) --* acc(y.f) && acc(y.g) { + apply acc(Pair(x)) && sum(x) == w --* acc(y.f) + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/lhs.vpr b/src/test/resources/biabduction/vipertests/wands/lhs.vpr new file mode 100644 index 00000000..adfd76bd --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/lhs.vpr @@ -0,0 +1,36 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +//:: IgnoreFile(/carbon/issue/102/) + +field f: Int +field g: Int + +predicate Pair(this: Ref) { + acc(this.f) && acc(this.g) +} + +function sum(p: Ref): Int + requires acc(Pair(p)) +{ unfolding Pair(p) in p.f + p.g } + +method test1(p: Ref) + requires acc(p.f) + requires acc(p.g) +{ + p.f := 10 + + package (acc(p.g)) --* acc(Pair(p)) && sum(p) == 10 + old[lhs](p.g) { + fold Pair(p) + } + // TODO: package acc(p.g) --* folding Pair(p) in sum(p) == 10 + lhs(p.g) must be rejected! +} + +method test2(p: Ref) + requires acc(p.g) + requires acc(p.g) --* acc(Pair(p)) && sum(p) == 10 + old[lhs](p.g) +{ + p.g := 3 + apply acc(p.g) --* acc(Pair(p)) && sum(p) == 10 + old[lhs](p.g) + assert sum(p) == 13 +} diff --git a/src/test/resources/biabduction/vipertests/wands/list_insert.vpr b/src/test/resources/biabduction/vipertests/wands/list_insert.vpr new file mode 100644 index 00000000..6edf2ce1 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/list_insert.vpr @@ -0,0 +1,114 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +//:: IgnoreFile(/carbon/issue/102/) + +/* This example encodes and specifies an iterative implementation of + * inserting a value into a linked list. A magic wand is used to + * book-keep permissions. + * + * Notes: + * + * - In previous versions of Silicon, the sequence axiomatisation + * had a problem that could slow down Z3 significantly. This is + * orthogonal to our work on magic wands. Should you experience + * verification runs that take much longer than the timing + * information included in our paper, please try + * list_insert_noseq.vpr, which is a version of this example from + * which all sequence-related assertions have been erased (the + * wands are still included). + * + * - The additional two asserts are currently necessary because of a + * known incompleteness of Silicon (again, see list_insert_noseq.vpr + * for a version from which all sequence-related assertions have + * been removed). + */ + +field val: Int +field next: Ref + +/* The usual linked-list predicate. */ +predicate List(xs: Ref) { + acc(xs.val) && acc(xs.next) && (xs.next != null ==> acc(List(xs.next))) +} + +/* Returns the elements stored in the linked-list xs. */ +function elems(xs: Ref): Seq[Int] + requires acc(List(xs)) +{ unfolding List(xs) in Seq(xs.val) ++ (xs.next == null ? Seq[Int]() : elems(xs.next)) } + +/* Returns the head value of the linked-list xs. */ +function head(xs: Ref): Int + requires acc(List(xs)) +{ unfolding List(xs) in xs.val } + +/* Inserts value x at an appropriate position into the ordered linked-list xs, such that + * the list remains ordered if it was in ascending order before. + */ +method insert(xs: Ref, x:Int) returns (i: Int) + requires acc(List(xs)) + requires head(xs) < x + ensures acc(List(xs)) + ensures elems(xs) == old(elems(xs))[0..i+1] ++ Seq(x) ++ old(elems(xs))[i+1..] +{ + var crt: Ref + var nxt: Ref + i := 0 + + define A acc(List(crt)) + define B acc(List(xs)) && elems(xs) == old(elems(xs))[0..i] ++ old[lhs](elems(crt)) + + unfold List(xs) + crt := xs + nxt := xs.next + + package A --* B + + /* Find the appropriate position for x in the linked-list. After the loop, + * crt points to the first node in the list s.t. crt.next is either null, + * or crt.next.val >= x. nxt is always equal to crt.next. + */ + while (nxt != null && head(nxt) < x) + invariant 0 <= i && i < |old(elems(xs))| + invariant nxt == null ==> i == |old(elems(xs))| - 1 + invariant acc(crt.val) && acc(crt.next) + invariant nxt == crt.next + invariant crt.val == old(elems(xs))[i] + invariant nxt != null ==> (acc(List(nxt)) && elems(nxt) == old(elems(xs))[i+1..]) + invariant A --* B + { + assert old(elems(xs))[i+1] == elems(nxt)[0] + var oi: Int := i + + var prev: Ref := crt + + unfold List(nxt) + crt := nxt + nxt := nxt.next + i := i + 1 + + package (A) --* B { + fold List(prev) + apply acc(List(prev)) --* acc(List(xs)) && elems(xs) == old(elems(xs))[0..oi] ++ old[lhs](elems(prev)) + } + } + + /* Create a new node with value x and append the list tail starting at nxt to it. */ + var node: Ref + node := new(val,next) + node.val := x + node.next := nxt + + fold List(node) + + assert elems(node) == Seq(x) ++ old(elems(xs))[i+1..] + + /* Append the new node (and its tail) to the current node. */ + crt.next := node + fold List(crt) + + /* Give up the sublist starting at crt and get back the original list *with* + * the newly inserted value. + */ + apply A --* B +} diff --git a/src/test/resources/biabduction/vipertests/wands/list_insert_noseq.vpr b/src/test/resources/biabduction/vipertests/wands/list_insert_noseq.vpr new file mode 100644 index 00000000..5e6f4746 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/list_insert_noseq.vpr @@ -0,0 +1,96 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* This example is a version of list_insert.vpr from which all + * sequence-related assertions have been erased (in previous versions + * of Silicon, the sequence axiomatisation had a problem that could + * slow down Z3 significantly). + */ + +field val: Int +field next: Ref + +/* The usual linked-list predicate. */ +predicate List(xs: Ref) { + acc(xs.val) && acc(xs.next) && (xs.next != null ==> acc(List(xs.next))) +} + +/* Returns the elements stored in the linked-list xs. */ +// function elems(xs: Ref): Seq[Int] + // requires acc(List(xs)) +// { unfolding List(xs) in Seq(xs.val) ++ (xs.next == null ? Seq[Int]() : elems(xs.next)) } + +/* Returns the head value of the linked-list xs. */ +function head(xs: Ref): Int + requires acc(List(xs)) +{ unfolding List(xs) in xs.val } + +/* Inserts value x at an appropriate position into the ordered linked-list xs, such that + * the list remains ordered if it was in ascending order before. + */ +method insert(xs: Ref, x: Int) returns (i: Int) + requires acc(List(xs)) + requires head(xs) < x + ensures acc(List(xs)) + // ensures elems(xs) == old(elems(xs))[0..i+1] ++ Seq(x) ++ old(elems(xs))[i+1..] +{ + var crt: Ref + var nxt: Ref + i := 0 + + define A acc(List(crt)) + define B acc(List(xs)) // && elems(xs) == old(elems(xs))[0..i] ++ lhs(elems(crt)) + + unfold List(xs) + crt := xs + nxt := xs.next + + package A --* B + + /* Find the appropriate position for x in the linked-list. After the loop, + * crt points to the first node in the list for which crt.next is either null, + * or crt.next.val >= x. The variable nxt is always equal to crt.next. + */ + while (nxt != null && head(nxt) < x) + // invariant 0 <= i && i < |old(elems(xs))| + // invariant nxt == null ==> i == |old(elems(xs))| - 1 + invariant acc(crt.val) && acc(crt.next) + invariant nxt == crt.next + // invariant crt.val == old(elems(xs))[i] + invariant nxt != null ==> (acc(List(nxt))) // && elems(nxt) == old(elems(xs))[i+1..]) + invariant A --* B + { + // assert old(elems(xs))[i+1] == elems(nxt)[0] + + var oldCrt: Ref := crt + var prev: Ref := crt + + unfold List(nxt) + crt := nxt + nxt := nxt.next + i := i + 1 + + package (A) --* B { + fold List(prev) + apply acc(List(oldCrt)) --* acc(List(xs)) + } + } + + /* Create a new node with value x and append the list tail starting at nxt to it. */ + var node: Ref + node := new(val, next) + node.val := x + node.next := nxt + fold List(node) + + // assert elems(node) == Seq(x) ++ old(elems(xs))[i+1..] + + /* Append the new node (and its tail) to the current node. */ + crt.next := node + fold List(crt) + + /* Give up the sublist starting at crt and get back the original list *with* + * the newly inserted value. + */ + apply A --* B +} diff --git a/src/test/resources/biabduction/vipertests/wands/list_sum.vpr b/src/test/resources/biabduction/vipertests/wands/list_sum.vpr new file mode 100644 index 00000000..c399b56e --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/list_sum.vpr @@ -0,0 +1,98 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* This example encodes and specifies an iterative computation of the + * sum of a recursively defined linked-list. Magic wands are used to + * book-keep permissions in the loop. + */ + +field val: Int +field next: Ref + +/* Linked-list abstract predicate. Contains access to the fields of the current + * node ys, and transitively, to the fields of all nodes in the tail. + */ +predicate List(ys: Ref) { + acc(ys.val) && acc(ys.next) && (ys.next != null ==> acc(List(ys.next))) +} + +/* Pure function that computes the sum in a straight-forward, recursive way. */ +function sum_rec(ys: Ref): Int + requires acc(List(ys)) +{ unfolding List(ys) in ys.val + (ys.next == null ? 0 : sum_rec(ys.next)) } + +/* Iterative computation of the sum over the linked-list ys. The postcondition + * states that the iterative computation yields the same result as the + * recursive one. + */ +method sum_it(ys: Ref) returns (sum: Int) + requires ys != null + requires acc(List(ys)) + ensures acc(List(ys)) + ensures sum == old(sum_rec(ys)) +{ + var xs: Ref := ys /* Pointer to the current node in the list */ + sum := 0 /* Sum computed so far*/ + + var old_sum_xs : Int /* used to store sum of list from xs, when wand is packaged */ + + /* Short-hands to keep the specifications concise */ + define A xs != null ==> acc(List(xs)) && sum_rec(xs) == old_sum_xs + define B acc(List(ys)) && sum_rec(ys) == old(sum_rec(ys)) + + /* (Trivially) establish the promise that giving up the list starting from + * the current node xs - which at this point is the head of the list - in a + * shape s.t. its sum is the same as it is at this point (sum_rec(xs) == old_sum_xs), + * yields a list that starts at the old head node (ys) and whose sum is the + * sum of the original list (sum_rec(ys) == old(sum_rec(ys))). + */ + old_sum_xs := sum_rec(xs) + + package A --* B + + /* Iteratively compute the sum. + * The loop invariant states that + * 1. we have permissions to the list starting at the current node xs (if + * not null) + * 2. the computed sum is the sum of the original list minus the sum of the + * nodes still to visit, i.e., the sum of the list starting at the + * current node xs. + * 3. the previously described promise holds + */ + while (xs != null) + invariant xs != null ==> acc(List(xs)) + invariant old_sum_xs == (xs == null ? 0 : sum_rec(xs)) + invariant sum == old(sum_rec(ys)) - old_sum_xs; + invariant A --* B + { + var oldXs: Ref := xs + var oldOld_sum_xs: Int := old_sum_xs + + /* Let zs point to the *current* current node, update the sum and advance + * the current node pointer. + */ + var zs: Ref := xs + unfold List(xs) + sum := sum + xs.val + xs := xs.next + + /* Update the promise. This exhales access to the fields of the *previous* + * current node zs, and the magic wand instance w, since they belong to the + * footprint of the packaged magic wand instance. + */ + old_sum_xs := (xs == null ? 0 : sum_rec(xs)) + + package (A) --* B { + fold List(zs) + apply (oldXs != null ==> acc(List(oldXs)) && sum_rec(oldXs) == oldOld_sum_xs) --* + (acc(List(ys)) && sum_rec(ys) == old(sum_rec(ys))) + } + } + + /* Use the promise to get back the unchanged list starting at ys. + * xs is null, so nothing is given up, but that is correct because + * intuitively, the permissions to each node in the list has been + * packaged into the wand while the loop executed. + */ + apply A --* B +} diff --git a/src/test/resources/biabduction/vipertests/wands/loop_sum_ghostvar_old.vpr b/src/test/resources/biabduction/vipertests/wands/loop_sum_ghostvar_old.vpr new file mode 100644 index 00000000..10df26f8 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/loop_sum_ghostvar_old.vpr @@ -0,0 +1,75 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field v: Int +field n: Ref + +predicate List(this: Ref) { + acc(this.v) && acc(this.n) && (this.n != null ==> acc(List(this.n))) +} + +function sum_rec(this: Ref): Int + requires acc(List(this)) +{ unfolding List(this) in (this.v + (this.n == null ? 0 : sum_rec(this.n))) } + +method sum_it(ys: Ref) returns (sum: Int) + requires ys != null + requires acc(List(ys)) + ensures acc(List(ys)) + ensures sum == old(sum_rec(ys)) +{ + var xs: Ref + xs := ys + sum := 0 + + /* ghost */ var oldsum_xs: Int + oldsum_xs := sum_rec(xs) + + package + ((xs != null) ==> (acc(List(xs)) && sum_rec(xs) == oldsum_xs)) + --* + (acc(List(ys)) && sum_rec(ys) == old(sum_rec(ys))) + + while (xs != null) + invariant ((xs != null) ==> acc(List(xs))) + invariant sum == (old(sum_rec(ys)) - (xs == null ? 0 : sum_rec(xs))); + invariant + ((xs != null) ==> (acc(List(xs)) && sum_rec(xs) == oldsum_xs)) + --* + (acc(List(ys)) && sum_rec(ys) == old(sum_rec(ys))) + { + assume oldsum_xs == sum_rec(xs) + /* [Malte] I think that it is crucial that oldsum_xs is assigned to at + * least once in the loop, because it will otherwise still have + * the value that it had outside of the loop (a Sil/Silicon feature). + * If so, then the assume in here is unsound because xs changes in + * every loop iteration. + */ + + /* ghost */ var prev_xs: Ref + prev_xs := xs + + unfold List(xs) + sum := sum + (xs.v) + xs := xs.n; + + /* ghost */ var oldoldsum_xs: Int + oldoldsum_xs := oldsum_xs + + if (xs != null) { + oldsum_xs := sum_rec(xs) + } + + package + ((xs != null) ==> (acc(List(xs)) && sum_rec(xs) == oldsum_xs)) + --* (acc(List(ys)) && sum_rec(ys) == old(sum_rec(ys))) { + fold List(prev_xs) + apply ((prev_xs != null) ==> (acc(List(prev_xs)) && sum_rec(prev_xs) == oldoldsum_xs)) --* (acc(List(ys)) && sum_rec(ys) == old(sum_rec(ys))) + } + } + + apply + ((xs != null) ==> (acc(List(xs)) && sum_rec(xs) == oldsum_xs)) + --* + (acc(List(ys)) && sum_rec(ys) == old(sum_rec(ys))) +} diff --git a/src/test/resources/biabduction/vipertests/wands/nesting.vpr b/src/test/resources/biabduction/vipertests/wands/nesting.vpr new file mode 100644 index 00000000..2a60459e --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/nesting.vpr @@ -0,0 +1,29 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +field f: Int +field g: Int +field h: Int + +method test01(x: Ref) + requires acc(x.f, write) && acc(x.g, write) && acc(x.h, write) +{ + define F acc(x.f, write) + define G acc(x.g, write) + define H acc(x.h, write) + + package F --* (F && G) + package H --* (H && (F --* (F && G))) + + test02(x) +} + +method test02(x: Ref) + requires acc(x.h, write) --* (acc(x.h, write) && (acc(x.f, write) --* (acc(x.f, write) && acc(x.g, write)))) + requires acc(x.h, write) && acc(x.f, write) +{ + apply acc(x.h, write) --* (acc(x.h, write) && (acc(x.f, write) --* (acc(x.f, write) && acc(x.g, write)))) + apply acc(x.f, write) --* (acc(x.f, write) && acc(x.g, write)) + + assert acc(x.g, write) +} diff --git a/src/test/resources/biabduction/vipertests/wands/tree_delete_min.vpr b/src/test/resources/biabduction/vipertests/wands/tree_delete_min.vpr new file mode 100644 index 00000000..00b679f2 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/tree_delete_min.vpr @@ -0,0 +1,91 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +//:: IgnoreFile(/carbon/issue/280/) + +/* This example shows how magic wands can be used to specify the + * imperative version of challenge 3 from the VerifyThis@FM2012 + * verification competition. Method tree_delete_min below is an + * iterative implementation of the removal of the minimal element + * in a binary search tree. + * + * The example contains two assertions (marked with "TODO") that + * help overcoming an incompleteness with respect to sequences. + */ + +field v: Int +field l: Ref +field r: Ref + +predicate Tree(x: Ref) { + x == null + ? true + : acc(x.v) + && acc(x.l) && acc(Tree(x.l)) + && acc(x.r) && acc(Tree(x.r)) +} + +function val(x: Ref): Int + requires x != null && acc(Tree(x)) +{ unfolding acc(Tree(x)) in x.v } + +function vals(x: Ref): Seq[Int] + requires acc(Tree(x)) +{ x == null ? Seq[Int]() : unfolding acc(Tree(x)) in vals(x.l) ++ Seq(x.v) ++ vals(x.r) } + +/* Deletes the minimal element of a binary tree, assuming that the + * tree is a binary search tree (which, for simplicity, is not made + * explicit in the definition of predicate Tree). + */ +method tree_delete_min(x: Ref) returns (z: Ref) + requires x != null && acc(Tree(x)) + ensures acc(Tree(z)) /* POST1 */ + ensures vals(z) == old(vals(x))[1..] /* POST2 */ +{ + var p: Ref := x + var plvs: Seq[Int] + + define A acc(p.l) && acc(Tree(p.l)) && vals(p.l) == plvs[1..] + define B acc(Tree(x)) && vals(x) == old(vals(x))[1..] + + unfold acc(Tree(p)) + plvs := vals(p.l) + + if (p.l == null) { + z := p.r + + assert vals(x.l) == Seq[Int]() /* TODO: Required by Silicon for POST2 */ + } else { + package (A) --* B { + fold acc(Tree(p)) + } + + while (unfolding acc(Tree(p.l)) in p.l.l != null) + invariant p != null && acc(p.l) && acc(Tree(p.l)) && p.l != null + invariant plvs == vals(p.l) + invariant A --* B + { + var oldP: Ref := p + var oldPlvs: Seq[Int] := plvs + + unfold acc(Tree(p.l)) + p := p.l + plvs := vals(p.l) + + package (A) --* B { + fold Tree(p) + apply acc(oldP.l) && acc(Tree(oldP.l)) && vals(oldP.l) == oldPlvs[1..] --* + acc(Tree(x)) && vals(x) == old(vals(x))[1..] + } + } + + unfold acc(Tree(p.l)) + assert vals(p.l.l) == Seq[Int]() /* TODO: Required by Silicon for POST2 */ + + p.l := p.l.r + + apply A --* B + + z := x + } +} diff --git a/src/test/resources/biabduction/vipertests/wands/un_currying.vpr b/src/test/resources/biabduction/vipertests/wands/un_currying.vpr new file mode 100644 index 00000000..8c764eb9 --- /dev/null +++ b/src/test/resources/biabduction/vipertests/wands/un_currying.vpr @@ -0,0 +1,62 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/publicdomain/zero/1.0/ + +/* This example shows how our approach to magic wands can be used to + * prove the property + * + * A * B --* C <==> A --* B --* C + * + * We prove both directions independently, both proofs require nested + * ghost operations. In the "<==" case (method uncurry()) we get to + * assume the hypothetical LHS A * B while showing the overall wand + * A * B --* C, and we can therefore subsequently apply the outer and + * inner wand that we were given (A --* B --* C), which suffices to + * show the RHS C. + * + * The "==>" case is more involved. An initial idea might be to + * package the inner wand B --* C first, followed by the outer wand + * A --* B --* C. However, the sequence of statements + * package B --* C + * package A --* B --* C + * is doomed to fail because, given only the hypothetical state B, we + * won't be able to show C in the first statement (note that we + * cannot apply A * B --* C to get C, because we lack A). + * The solution is using a packaging-expression nested into a package + * statement, which yields two hypothetical states (the first + * satisfying A, the second B), which in turn enables us to apply the + * given wand A * B --* C. + */ + +/* The predicates are abstract (no bodies) - in principle, these represent any self-framing assertion */ +predicate P() +predicate Q() +predicate R() + +/* Define short-hands for the sake of readability */ +define A acc(P()) +define B acc(Q()) +define C acc(R()) + +/* A --* B --* C ==> A * B --* C */ +method uncurry() + requires A --* (B --* C) + ensures A && B --* C +{ + package (A && B) --* C { + apply A --* (B --* C) + apply B --* C + } +} + +/* A * B --* C ==> A --* B --* C */ +method curry() + requires A && B --* C + ensures A --* (B --* C) +{ + package (A) --* B --* C { + package (B --* C) { + apply A && B --* C + } + + } +}